Risk Management, External & Internal Control

Corporate Governance

What is risk?◦ Risks are uncertain future occurrences which, left

unchecked, could adversely influence the achievement of a company’s business objectives

Naidoo, Corporate Governance, 2009 page 225

Risk Management

Some of the main types of risk are:

Market risk – exposure to changes in share price, interest rate etc

Credit risk – possibility that 3rd party may fail to honour its contractual commitments to the company

Operational risk – risk of loss due to inadequate internal processes or unexpected external events

Types of risk

Reputational risk – risk of event damaging company’s goodwill & reputation

Business volume risk – risk of changes in demand or supply or competition

Legal risk – risk of failure to comply with legislation or contractual requirements

Types of risk

Risk management can mean attempting to avoid or reduce exposure to a particular risk

Risk management can also mean increasing exposure to a particular risk to benefit from an anticipated outcome

Company will look at possibility of risk occurring & cost of reducing exposure

Managing Risk

The Board will decide in consultation with management which risks to terminate,

accept, reduce or transfer.

Managing Risk

Define the risk & identify the areas of risk Determine the capacity to deal with risk

using TART Develop strategies to deal with the risks

identified Develop risk management documentation Integrate risk management into business

plan Ongoing monitoring of risk

Implementing a risk management plan

The four approaches to risk management

Terminate – if risk is too great to control & risk exceeds benefits

Accept – if no other controls possible Reduce – institute appropriate controls Transfer – move risk to another party (eg:

insurer)

The TART approach

Internal control refers to the complex web of reporting systems present within a company in terms of which its business activities are controlled.

Naidoo, Corporate Governance, 2009 page 234

Internal Control

An effective system of internal control should enable the company to:◦ Identify key objectives & associated risks◦ Measure overall performance in managing risk◦ Manage the identification of risk & the mitigation

process through timely & meaningful communication

◦ Monitor the effectiveness of identifying, measuing & managing risk

Naidoo, Corporate Governance, 2009 page 235

Requirements of internal control

The Companies Act lays down the requirements for the appointment of an external auditor – see section 90 of the Act

The overriding factor is independence

External Audit

King III gives the audit committee certain responsibilities relating to the external auditors:◦ To nominate the auditor◦ To approve the terms of engagement &

remuneration◦ To monitor & report on the auditors independence◦ To create a policy relating to non-audit work◦ To review the quality & effectiveness of the

external audit process

Audit Committee responsibilities

The internal audit function must be independent & objective

It may be done internally or may be outsourced

If outsourced, it should not be done by the firm doing the external audit

If done internally, it should be independent of the day-to-day operations

The audit committee is responsible to oversee the internal audit function

The Internal Audit

To objectively evaluate the company’s risk management, internal control & corporate governance processes & provide assuarnce to the Board of the adequacy & functionality of these processes

If the Board decides not to have an internal audit function the reasons should be disclosed in the annual report (apply or explain)

Purpose of the Internal Audit

The Board should ensure that the internal audit function has the necessary status within the company to execute its functions independently and without fear or favour

This can be achieved by:◦ Appointment of qualified personnel◦ Head of internal audit given senior management

status◦ Head of internal audit to report to Board & CEO◦ Board promoting independence of internal audit◦ Internal audit given adequate funding & resources

The Status of Internal Audit