6 Internal Control and Risk Management
6.2 RISK AS A SUBSET OF INTERNAL CONTROL
Turnbull describes a company’s system of internal control as having a key role in the man- agement of risks that are significant to the fulfilment of its business objectives and states that financial records help ensure that the company is not unnecessarily exposed to avoidable finan- cial risks. Section 10 of the guidance describes one of the main functions of internal control as follows: “A sound system of internal control contributes to safeguarding the shareholders’
investment and the company assets.”
Turnbull states that a company’s objectives, its internal organisation and the environment within which it operates are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. He argues that as profits are in part the reward for successful risk taking in business, the purpose of internal control must be to help manage and control risk appropriately.
Figure 6.1 illustrates the relationship of corporate governance (in the form of the 2003 Combined Code) to internal control, its subsets and specifically risk management.
6.2.1 The Application of Risk Management
On completion of the guidance on internal control produced by the Working Party led by Nigel Turnbull, the Institute of Chartered Accountants (ICA) published a briefing to aid its imple- mentation. It provides clear, unambiguous guidance on how to implement risk management within a business. In the foreword to Implementing Turnbull(Jones and Sutherland 1999), Sir Brian Jenkins (the then chairman of the Corporate Governance Group of the ICA) stated
Internal Control and Risk Management 99
Internal Control
Internal Control: Guidance for Directors on the Combined Code, published by the Institute of Chartered Accountants in England and Wales
in September 1999
Corporate Governance
The Combined Code on Corporate Governance, July 2003
C.2 Internal control
D. Relations with shareholders E. Institutional shareholders
C.1 Financial reporting
C.3 Audit committee and auditors
financial operational compliance risk management
help ensure compliance with applicable laws and regulations
help ensure the quality of internal and external reporting
facilitate its [the company's]
effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieve the company’s objectives
Elements of a sound system of internal control A. Directors
B. Remuneration
C. Accountability and audit
Figure 6.1 Composition of the Combined Code 2003 and its relationship to the Turnbull guidance
that the aim of this briefing was to be a source of timely, practical help to those directors who wished to take steps to implement the new guidance in a straightforward way, which would bring business benefits. The executive summary (echoed in the foreword) stated that the briefing had been prepared for directors who wished to take straightforward steps towards achieving Turnbull or who are interested in the practicalities of good risk management and internal control and in getting added value for their companies from the guidance. The key messages of the briefing are:
• Do not delay in implementing Turnbull
• Obtain management buy-in at all levels of the organisation
• Prepare a plan
• Identify clear company objectives
• Prioritise the risks to the achievement of the objectives
• Establish a clear risk management policy and control strategies
• Consult throughout the business
• Improve the business culture where appropriate
• Keep it simple and straightforward
• Monitor continuously
• Avoid audit committee overload
• Incorporate Turnbull in your management and governance processes
• Aim to obtain business improvement
The briefing “walks” the reader through (1)Why Turnbull?(the benefits of risk management and internal control), (2)How to add value(through seeking opportunities, rather than solely focusing on downside risk), (3)Immediate actions(gaining buy-in and an appropriate scale of approach), (4)Risks(risk identification and prioritisation), (5)Embedding the process,(6) Monitoring and internal audit, (7)Board level considerations(timing of review), (8)Disclo- sures(the content of annual reviews) and (9)Other considerations(committees, benchmarking performance and pitfalls to avoid).
Benefits
The briefing explains that the Turnbull guidance is about the adoption of a risk-based approach to establishing a system of internal control and reviewing its effectiveness. Further, it explains the importance of effective risk management in that when directors have set goals as part of long-term planning, the emergence of risks can mean that a company’s realised goals are very different from its intended, desired goals. One of the greatest strengths of the briefing is that it spells out the benefits of implementing risk management through a focus on the management of change to seize opportunities and minimise downside risk, as follows:
A risk based approach can make a company more flexible and responsive to market fluctuations making it better able to satisfy customers’ ever-changing needs in a continually evolving business environment. Companies can gain an early-mover advantage by adapting to new circumstances faster than their rivals, which again could lead to competitive advantage in the medium to long term. External perceptions of a company are affected by the level of risk that it faces and by the way its risks are managed. A major risk exposure and source of business failure and/or lack of opportunity success has been the failure to manage change. Companies need to be aware of changing markets, service delivery (e.g. e-commerce) and morale. Effective risk management and internal control can be used to manage change, to all levels of people in the company in meeting its business objectives, and to improve a company’s credit rating and ability to raise funds in the future, not to mention its share price over the longer term.
The briefing states the following potential benefits of effective risk management:
• Early mover into new business areas
• Greater likelihood of achieving business objectives
• Higher share prices over the longer term
• Reduction in management time spent “fire fighting”
• Increased likelihood of change initiatives being achieved
• More focus internally on doing the right things properly
• Lower cost of capital
• Better basis of strategy setting
• Achievement of competitive advantage
• Fewer sudden shocks and unwelcome surprises
Risks
The briefing provides guidance on the process of the identification of risks, understanding risk appetite, whether detailed quantification should be carried out and how risks should be prioritised.
Internal Control and Risk Management 101
Table 6.1 Risk matrix (Jones and Sutherland 1999, Figure 7)
Business
Wrong business strategy
Competitive pressure on price/market share General economic problems
Regional economic problems Political risks
Obsolescence of technology Substitute products Adverse government policy Industry sector in decline Takeover target
Inability to obtain further capital Bad acquisition
Too slow to innovate Financial
Liquidity risk Market risk
Going concern problems Overtrading
Credit risk Interest risk Currency risk High cost of capital Treasury risk
Misuse of financial resources
Occurrence of types of fraud to which the business is susceptible
Misstatement risk related to published financial information
Breakdown of the accounting system Unrecorded liabilities
Unreliable accounting records
Penetration and attack of IT systems by hackers Decisions based on incomplete or faulty information Too much data and not enough analysis
Unfulfilled promises to investors Compliance
Breach of Listing Rules Breach of financial regulations Breach of Companies Act requirements Litigation risk
Breach of competition laws VAT problems
Breach of other regulations and laws
Tax penalties
Health and safety risks Environmental problems Operational and other
Business processes not aligned to strategic goals Failure of major change initiative
Loss of entrepreneurial spirit Stock-out of raw materials Skills shortage
Physical disasters (including fire and explosion) Failure to create and exploit intangible assets Loss of intangible assets
Breach of confidentiality Loss of physical assets Lack of business continuity Succession problems Year 2000 problems Loss of key people Inability to reduce cost base
Major customers impose tough contract obligations
Overreliance on key suppliers or customers Failure of new products or services Poor service levels
Failure to satisfy customers Quality problems
Lack of orders Failure of major project Loss of key contracts
Inability to make use of the Internet Failure of outsource provider to deliver Industrial action
Failure of big technology related project Lack of employee motivation or efficiency Inability to implement change
Inefficient/ineffective processing of documents Poor brand management
Product liability
Inefficient/ineffective management process Problems arising from exploiting employees in
developing countries Other business priority issues
Other issues giving rise to reputational problems Missed business opportunities
The briefing also provides a risk matrix (see Table 6.1), which it describes as setting out the various risks to consider, while at the same time providing a cautionary note that the matrix should not be regarded as comprehensive. The matrix provides a useful guide to the types of issues to be thought about and, where relevant, addressed. A way of framing the risk exposure of a business and developing a risk taxonomy is discussed in Chapter 9.