The U.K.'s Financial Reporting Council (FRC) is responsible for the nation's corporate governance code as well as its standards for accounting and auditing.
When they speak, we should all listen.
The FRC recently issued draft guidance (PDF) for directors that is intended to replace their prior guidance (2005) on internal control and risk management. You can view
their press release, which includes instructions for providing feedback.
They are recommending changes to the U.K. corporate governance code (Turnbull) to reflect the new guidance.
While the document includes guidance on accounting for going concern issues, I will focus on important messages it is sending about risk management and internal control.
Here are some of the passages that caught my eye:
"Risk management and internal control should be incorporated within the company's normal management and governance processes, not treated as a separate compliance exercise."
"The risk management and internal control system should be embedded in the operations of the company; be capable of responding quickly to evolving risks and opportunities to the business arising from factors within the company and to changes in the business environment; and include procedures for reporting immediately to appropriate levels of management and to the board any significant increases in the company's risk exposure or significant control failings or weaknesses that are identified together with details of corrective action being undertaken."
"The assessment and management of the principal risks, and monitoring of the associated controls, should be carried out as an on-going process, not seen as an annual one-off exercise."
"It is the role of management, not the board, to implement and take day-to-day responsibility for board policies on risk and control. But the board needs to satisfy itself that management have understood the risks, implemented and monitored appropriate policies and controls, and are providing the board with timely information so that it can discharge its own responsibilities. In turn, management should ensure responsibilities are clearly established at all levels of the organisation."
"All employees share responsibility for behaving according to the agreed risk culture. Management should ensure that employees have the necessary knowledge, skills, information, and authority to establish, operate and monitor the system of risk management and internal control."
"The ability of the board to understand and address the risks facing the company is itself a major risk factor. The board needs to ensure that informed debate is possible and constructive challenge encouraged, and to keep under review the effectiveness of its decision-making processes."
"As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depends on the individuals responsible for operating the systems that are put in place. In order to ensure the appropriate risk culture is in place it is not sufficient for the board simply to set the desired values. It also needs to ensure they are communicated by management, incentivise the desired behaviours and sanction inappropriate behaviour, and assess whether the desired values and behaviours have become embedded at all levels. ... This should include consideration of whether the company's leadership and management style and structures, human resource policies and reward systems support or undermine the risk management and internal control system."
"The board should identify what sources of assurance it requires and, where there are gaps, how these should be addressed. In addition to the board and its committees' own monitoring activities, sources of assurance might include reports on relevant matters from any compliance, risk management and internal audit functions within the company, the external auditor's communications to the audit committee about matters it considers relevant to the board and the audit committee in fulfilling their responsibilities, and other internal and external sources of information or assurance. " (Note that, unfortunately, the FRC has not mandated that internal audit provide this assurance.)
"The board should satisfy itself that these sources of assurance have sufficient integrity, independence and expertise to enable them to provide objective advice and information to the board."
"In addition to its on-going scrutiny, the board should undertake an annual assessment to ensure that it has considered all significant aspects of risk management and internal control for the company for the year under review and up to the date of approval of the annual report and accounts. The board should define the processes to be adopted for this assessment, including drawing on the results of the board's on-going scrutiny such that it will obtain sound, appropriately documented, evidence to support its statement in the company's annual report and accounts." (The document includes specific guidance on areas that should be addressed in the assessment.)
"In its statement the board should, as a minimum: acknowledge that it is responsible for that system and for reviewing its effectiveness; and disclose that there is an on-going process for identifying, evaluating and managing the principal risks faced by the company, that it has been in place for the year under review and up to the date of approval of the annual report and accounts, that it is regularly reviewed by the board, and to what extent it accords with the guidance in this document. ... The board should summarise the process it has applied in reviewing the effectiveness of the system of risk management and internal control. The board should explain what actions have been or are being taken to remedy any significant failings or weaknesses identified from that review, including the process it has applied to deal with material risk management or internal control aspects of any significant problems disclosed in the annual report and accounts."
What strikes me most is the clear indication that a periodic review and assessment of a limited number of risks in a static risk register is not acceptable. This means that the majority of risk functions have to change!
The FRC has recognized that risks to the achievement of objectives change rapidly. Every decision not only creates or changes risk, but should be made with due consideration of risk.
The management of risk has to be part of everyday management, not a separate "compliance exercise."
As I said, when the FRC speaks, we should listen, and they are effectively challenging the role of the Chief Risk Officer as being responsible for a risk management process that is separate from everyday management processes, with separate risk reporting (from performance reporting).
Organizations should make it clear that risk is "owned" by decision-makers, the people responsible for performance. The risk practitioner is there to teach management how to fish (i.e., consider risk as an inherent part of management and decision-making), not to give them fish.
I welcome your comments.
PS — my thanks to David Griffiths for bringing the document to my attention.