9 Jun 2015

Dealing with risk management and internal control

In September 2014, the Financial Reporting Council (FRC) issued new UK corporate governance code provisions on risk management and internal control. These changes, which apply on a comply or explain basis, are for periods commencing on or after 1 October 2014. Additionally, the FRC issued new good practice guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Will this make a difference?

There is no doubt that these new provisions will raise the bar on risk management and internal control, but how? Whilst many companies operate excellent risk management systems, there are some where risk management processes are not embedded, let alone monitored. In some instances, they may be rather more superficial or an afterthought perhaps for the annual report. These companies will have more work to do to claim they have made a robust assessment. On controls monitoring, the other main area of change, we find that controls in the main are operating sensibly. But whilst the controls may not need redefining, directors rarely receive regular reports that enable on-going monitoring, so the focus needs to be on providing a clear line of sight.

How will directors meet the requirements?

Like the old adage, Rome wasn’t built in a day; the FRC acknowledges this will take more than one reporting period to get right. Most companies have by now established a working party to look at their existing procedures and establish the connectivity that the code requires with the board of directors. It will be interesting to see how companies describe how their risk management is distributed, as risk responsibility under the code can sit with either board committees or the board itself, but in practice may be wider. We foresee more thoughtful and richer descriptions in annual reports this coming year, and more engagement from directors given the FRC’s comply or explain regime.

Business benefit or compliance cost?

Successfully managing risk leads to business profits. By embracing this as an opportunity to check risk processes are appropriately focused on real business risk, and on core business activities, directors should benefit from the new regime. However, those who treat this as a compliance exercise, may see additional compliance cost, but less value. Better definition of risk supports better business decisions, refocusing on key controls could free up management time, driving consensus around the board on risk appetite could help prioritise investments and enable faster decision making, and increased shareholder value. All these are possible if this is embraced as an opportunity.

New responsibilities for audit committees and auditors

Audit committees have a significant role to play in supporting the board’s activities given their responsibilities under the Code to ‘review the company’s internal control and risk management systems unless expressly addressed by a separate board risk committee comprised of independent directors, or by the board itself.’ And, of course, the existence of an executive risk committee does not remove this responsibility. There must be oversight by a committee of independent non-executive directors or by the Board itself. Here again, companies will want to reconfirm the structure of their risk and controls oversight.

Auditors have a role here, too, as the FRC has introduced corresponding changes to auditor reporting. Auditors already report by exception if they do not agree with the board’s statement that the annual report, taken as a whole, is fair, balanced and understandable, or if they do not agree with the audit committee’s list of significant issues considered. Now, a statement must be included in the audit report as to whether the auditor has anything material to add. It should also draw attention to the directors‘ confirmation in the annual report that they have carried out a robust assessment of principal risks facing the entity and how they are being managed or mitigated. It will be critical for auditors to engage with companies early on to enable them to form their own professional and independent view. The directors’ disclosures should be of significant interest to shareholders and this is an opportunity for auditors to engage and provide perspectives.

Paving the way for the future

As always, you will get out what you put in and treating the requirements as an opportunity rather than a compliance burden will likely bring business benefits.

For the very large companies, we expect many of the key ingredients to be in place, but they may be in different places and not fully joined up. If embraced, the new guidance can be a catalyst to bring these together, to streamline and join up activities, making them more effective. It is worth focusing on the code first and foremost, and use the guidance as just that, guidance, something to build on over time. Get the ‘comply or explain’ areas right first.

For smaller and mid-cap listed companies with fewer resources and without large risk and internal audit departments this could be more of a challenge. However, with smart thinking and good understanding of key risks, many should be able to leverage existing awareness and processes to a large extent.

Effective governance of risk should be part of management and board consideration as strategy is executed, investments made, businesses run and costs managed – all-important factors for businesses looking to grow. But remember, auditors will need to see evidence of robust assessment and on-going monitoring of risks and controls. The key message here is that early engagement and planning with all stakeholders is essential.

At a glance


1) The directors must confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated.

2) The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

Greg Culshaw is an audit and risk advisory partner at Deloitte UK, and William Touche is a vice chairman at Deloitte UK and the firm’s Centre for a Corporate Governance leader

Related articles

Keeping tabs on audit 

A tax advisor's professional responsibilities 

We will (not) rock you