Internal Control and Risk Management

1、Internal Control and Risk Management1Thomas HenschelLearning ObjectivesTo appreciate current regulations of Internal Control and Risk ManagementTo understand that risk management is an integral part of corporate governanceTo appreciate the benefits of Enterprise Risk Management and controlling risks

2、2The role of the board and the integration of risk managementSource: Chapman, Enterprise Risk Management, Wiley, 2021, p. 7Risk and Opportunity ManagementPolicy review cycleOperations review cycleGovernance review cycleStrategy review cycleInternalExternalShort-termLong-termAccountabilityto the comp

3、anyto ownersto regulatorsto legislatorsto other stakeholdersPolicy formulationcreating the visioncreating the missioncreating valuesdeveloping culturemonitoring the environ-mentStrategic thinking positioning in the changing markets setting corporate direction reviewing and deciding key resources dec

4、iding the implemen-tation processSupervisory management oversight management monitoring budgetary control reviewing key business results ensuring business capabilityInternal control and risk management in contextHM TreasuryFinancial Services Authority(FSA)Admission to listing and tra-ding on an RIE

5、marketGuidance on Audit Committees (The Smith Guidance, 2003)Internal Control: Guidance for Directors on the CC, Turnbull Committee 1999Institute of Chartered Accountants in England and WalesFinancial Services and Markets Act 2000Trade securities on RIE Market London Stock ExchangeUK subsidiaries of

6、 US listed companies Sarbanes-Oxley Act 2002Requires reporting on the effectiveness of internal controlsCOSOERM FrameworkListing RulesRisk ManagementAuditorsPublic Company (Issuer)Internal ControlAnnual Reports and AccountsDescribe compliance with the provisions of the Combined CodeCombined Code of

7、Corporate Governance July 2008 DerekHiggsReportRobertSmithGuidanceC.2 InternalControlC.3 Audit Comittee and AuditorsSource: Chapman, Enterprise Risk Management, Wiley, 2021, p. 42人员的培训 一、人员培训的目标 培训是指组织通过对员工有方案、有针对性的教育和训练，使其能够改进目前知识和能力的一项连续而有效的工作。培训旨在提高员工队伍的素质，促进组织的开展，实现以下四个方面的具体目标。 一补充新知识，提炼新技能 二全面开

8、展能力，提高竞争力 三转变观念，提高素质 四交流信息，加强协作 二、人员培训的方法组织中的培训对象主要有：新来员工、基层员工、一般技术或管理人员、高级技术或管理人员。依据所在职位的不同，可以分为：一新来员工二在职三离职依据培训的目标和内容不同，培训又可分为以下几种形式：四专业知识与技能五职务轮换六提升七设置助理职务八设置临时职务Composition of the Combined Code 2021 and its relationship to the Turnbull guidanceCorporate GovernanceInternal ControlThe Combined Cod

9、e on Corporate Governance, July 2021Internal Control: Guidance for Directors on the Combined Code, published by the Institute of Chartered Accountants in England and Wales in September 1999A. DirectorsB. RemunerationC. Accountability and auditE. Institutional ShareholdersD. Relations with Shareholde

10、rsC.1 Financial ReportingC.2 Internal ControlC.3 Audit committee and auditorsfinancialoperationalcompliancerisk managementElements of a sound system of internal controlFacilitate its (the companys)effective and efficient operation by enabling it to respond appropriately to significant business, oper

11、ational, financial, compliance and other risks to achieve the companys objectives.Help ensure the quality of internal and external reportingHelp ensure compliance with applicable laws and regulSource: Chapman, Enterprise Risk Management, Wiley, 2021, p. 35The Turnbull Report 1999The Combined Code (1

12、998) dealt with internal control in Provisions D.2.1 and D.2.2. These became Provisions C.2 and C.2.1 in the Revised Combined Code (2003,2021)In these Provisions, the Code stated that company directors should conduct a review of the effectiveness of their internal control systems and report this inf

13、ormation to shareholders. Turnbull provided an explicit framework for reporting on risk management9The Turnbull FrameworkSolomon et al. , 200710Defining internal controlDefinition of COSO (Committee of Sponsoring Organizations)Internal control is a process, established, operated and monitored by tho

14、se charged with governance and management of a company, to provide reasonable assurance regarding the achievement of objectives in the following categories:a) The effectiveness and efficiency of the companys operations;b) The reliability of its financial reporting;c) Its compliance with applicable l

15、aws and regulations.Internal control objectives (COSO)Sustaining the companys business operations (efficiency and effectiveness concerns)Preparing reliable financial reporting (including financial statements)Compliance with applicable laws and regulationsComponents of a system of internal control (C

16、OSO)A system of internal control consists of five interrelated components:Control environmentRisk assessmentControl activitiesInformation and communicationMonitoringEach component is relevant for each internal control objectiveComponents of a system of internal controlSeparation of functionsSeparati

17、on of functions (“segregation of duties) as a preventive control measure It calls for the separation of the four basic functions of transaction processingAuthorizing transactionsExecuting transactionsRecording transactionsSafeguarding resources resulting from consummating transactionsThe objective i

18、s mainly to provide an environment where fraud becomes difficultDefining internal audit“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a sys

19、tematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.Institute of Internal AuditorsInternal audit processPrimary task:Examine and evaluate the adequacy and effectiveness of the internal control systemEvaluate the quality of perf

20、ormance in carrying out assigned responsibilitiesCan be considered to be part of the monitoring component of a IC systemIts scope potentially covers all activities within the companyIndependence of internal audit Independence with regard to the acitivities they audit, is essential for the internal a

21、udit functionIndependence should be assured through:Organizational position and authority within the companyRecognition of professional objectivityEnterprise Risk Management: OverviewRisk AttitudesRisk Management Systems: ERMRisk and CultureRisk & ResponsibilitiesRisk Management Strategies19Risk Att

22、itudesPersonal ViewsShareholder demandOrganisational influenceNational and Cultural influencesEntrepreneurial risk Uncertainty regarding market demandUncertainty regarding own entrepreneurial ability20Risk Management Systems: Enterprise Risk Management“ERM is the discipline by which an organisation

23、in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisations short and long term value to its shareholders. The CAS Committee on ERMERM is a framework designed to ensure the consistent identification, assessment, evaluati

24、on and management of risks across the organisation. 21Enterprise Risk Management: Key DriversMore and more complicated risksExternal pressuresPortfolio point of viewQuantificationRisk as an opportunity22Benefits of ERMAlignment of risk appetite and strategyLink growth risk and returnChoose best risk

25、 responseMinimise surprise and lossesIdentify and manage risks across the organisationProvide responses to multiple risksSeize OpportunitiesRationalise Capital23ERM: LimitationsSome events cant be foreseenBoard depends on management for correct information Boards can blinkERM has been flawed histori

26、cally because practitioners tended to pay a lot of attention to quantifiable risks 24Embedding risk awareness and assessmentRisk Culture: an integral part of embedding risk awareness and assessmentRisk policy statementRisk Register25Risk Management ResponsibilitiesThe Board: The boards role in manag

27、ing risk is one of the most important. Emphasised in the Turnbull Report.Determining risk management strategyPolicies on internal controls and seeking assurance on internal controlsMonitoring risks26Risk Management ResponsibilitiesRisk Management CommitteeIf a risk management committee is not presen

28、t under the combined code the audit committee will be responsible for risk managementAre there advantages in having a separate risk management committee?Roles of the Risk Management CommitteeApproving the risk management strategy and policyReviewing reports on key risksMonitoring overall risk exposu

29、reProviding early warning to the boardReviewing the companys statement on internal control 27Risk Management ResponsibilitiesRisk Management GroupInternal and External AuditLine Managers (Emphasised in the Turnbull Report)Staff (Emphasised in the Turnbull Report)28Risk Management ResponsibilitiesRis

30、k Manager (as applied to ERM)Overall leadership for ERMIntegrate RM across the organisationImplement RM policiesImplement a set of risk indicators and reportsDealing with insurance companiesAllocating economic capital to business activitiesReporting to the CEO (Some CROs have a direct reporting line

31、 to the board).29Risk Management StrategiesAvoidance of riskWill the possible savings from avoiding the risks be greater than not taking any measures and running the risks?30Risk Management StrategiesReduction of riskWhat measures could you take to reduce the risk that suppliers do not deliver suppl

32、ies of the required quality or do not deliver on time?31Contingency PlanningInformationResponsibilitiesPracticeLoss ControlPhysical DevicesAwareness and Commitment Risk pooling and diversificationSystematic (market risk) and Unsystematic riskThe Capital Asset Pricing Model (CAPM) Risk Hedging Common

33、ly used in the area of currency and interest rate managementRisk Management StrategiesAcceptance of risksSelf-InsuranceCaptive Insurance (A captive insurance company is, a subsidiary company formed to insure or reinsure the risks of its parent and / or associated group companies )CostFlexibilityClai

34、ms Management32Risk Management StrategiesTransfer of riskHold Harmless agreementsLimitation of liabilityRisk Sharing33ERM framework5. Sources of Risk(internal to a business and emanating from the environment)4. Risk Management Process(incremental phases of an iterative process)3. Implementation(appo

35、intment of external support)Corporate Governance(board oversight)2. Internal Control(sound system of internal control)Risk IdentifikationRisk AssessmentRisk EvaluationRisk PlanningRisk ManagementAnalysisInternal ProcessesBusiness Operating EvironmentSource: Chapman, Enterprise Risk Management, Wiley

36、, 2021, p. 10Levels within a corporate organisation Risk ManagementLong-term risks- low level of detail involvedShort-term risks- high level of detail involvedSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2021, p. 3Sources of market risk and opportunitySource: Chapman, Enterprise Risk Ma

37、nagement, Wiley, 2021, p. 357Typical risk parametersSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2021, p. 11Susceptibility to Change or External Influences:opportunityupside or downside resultDegree of Interdependency with other Factors of RiskSeverity of Impact (high/low): threat inten

38、sity (damage potential) continuously varying in terms of cost & timeProbability of Occurrence (high/low): Varying probability (0-1) Frequency (high/low)RiskClassification of strategy riskStrategyObjectivesBusiness planNew business developmentResourcesStakeholder interestsCorporate experienceReputati

39、on- objectives- factors of production- reflects strategy- assumptions- currency- regulatory priorities- additional costs- IT failure- 3rd party providers- overheads- customer base- fraud exposure- resource needs- resource mismatch- ability of staff- equity debt- identified- assessed- reflected in bu

40、siness plan- markets- customers- suppliers/contractors- distribution mechanisms- products/services- risk/regulatory/legal context- brand protectionSource: Chapman, Enterprise Risk Management, Wiley, 2021, p. 224Risk classification: element, attributes and featuresClassification of people riskPeopleH

41、RM practicesSalariesRegulatory and statutory req.Staff constraintsStaff dishonestyRisk managementHealth and safety- liquidity- working conditions- job satisfaction- development and training fairness of rewards employee relations- contracts- maternity- discrimination- whistleblowing- dismissal- trade

42、 unions- recruitment- staff turnover- staff absenteeism- staff criticality matrix- fraud/deception- theft- concealment- culture- system- management plant and machinery fleet management office accommodationSource: Chapman, Enterprise Risk Management, Wiley, 2021, p. 229Risk classifcation: element, attributes and featuresClassification of processes and systems riskProcesses and systemsControlsRegulatory and statutory req.ContinuityTransactionsComputer/IT systemsKnowledge managementIndicators of loss notification trigger points- business objectives- quality-