Introduction to Risk Management and Corporate Governance, Schemes and Mind Maps of Government & Non-Profit Accounting

Download Introduction to Risk Management and Corporate Governance and more Schemes and Mind Maps Government & Non-Profit Accounting in PDF only on Docsity! CHAPTER 5: RISKS, GOVERNANCE, CORPORATE RESPONSIBILITY AND ETHICS 5.1. Risks and Risk management 5.2 Governance and Ethics 5.3. Corporate governance Introduction to risk management Warm-up activities • Visit http://www.stopdisastersgame.org/ • Click on ‘Launch Game’ • Click on “Play Game” and choose ‘Tsunami’ disaster types (Easy, Medium, Hard levels for each): • Read the “Mission Introduction” pop-ups to get a clear idea of your objectives and resources. • As you start putting in place defences and developments, “Key Fact” boxes will pop up giving you valuable information. • You should try and save as many people and buildings as possible Introduction to risk management What is risk? • Risk: The possible variation in an outcome from what is expected to happen • Variability: events in the future cannot be predicted with certainty • Expectation: we expect something to happen, or perhaps hope that it will not happen • Outcomes: this is what actually happens compared with what is intended or expected to happen • Uncertainty: The inability to predict the outcome from an activity due to a lack of information. • Opportunity: The possibility that an event will occur and positively affect the achievement of objectives. Introduction to risk management Risk appetite: The extent to which a business is prepared to take on risks in order to achieve its objectives. Attitudes to risk Introduction to risk management Risk attitudes A risk averse attitude A risk neutral attitude A risk seeking attitude Introduction to risk management Business risk Financial risks Types of risks Operational risks Cyber risk Introduction to risk management Business Risk Strategic Risk Financial Risk Operational Risk Legal Risk Other Risks Introduction to risk management Financial risks • Controllable financial risk is financial risk arising from factors that are within the business's direct control. • Uncontrollable financial risk is financial risk arising from factors that operate independently of the business. The key factor here is market risk, that is the risk of losses resulting from changes in Introduction to risk management Cyber risk •Hacking - including of social media and email passwords •Phishing - bogus emails asking for security information and personal details •Malicious software – including ransomware through which criminals hijack files and hold them to ransom •Distributed denial of service (DDOS) attacks against websites – often accompanied by extortion Introduction to risk management Tackling cyber attached Report cyber attacks/incidents Cyber risk mitigation If cyber attacks and other cyber incidents are reported, it allows law enforcement agencies to investigate. This improves their understanding of the scale of cyber attacks and helps shape future responses to them, as well as making sure that their resourcing and funding as appropriate. The more devices that an organisation connects to the internet, the more exposed it is to potential attack. Cyber security is the main method of mitigating cyber risk and is vital to protect the business' operating capability, finances and reputation. Even basic cyber security methods can reduce the risk of most attacks. Introduction to risk management Tackling cyber attached Manage cyber security Promote awareness To be most effective, cyber security should be integrated with risk management. The aim of cyber security is to increase the difficulty that a cyber attacker faces in order to make a successful attack. The appropriate level of cyber security depends on the size of the organisation and the cyber risk that it faces. Small organisations or those with relatively low cyber risk should focus on the fundamentals. Larger organisations or those with high cyber risk should aim for greater depth of security. Organisations should promote best practice to its stakeholders, such as employees, in regards to cyber security. This could include setting a strong password policy and encryption methods, and making sure that users apply them. Introduction to risk management Technical controls for cyber security e Access control - physical and network procedures to restrict access to a system « Boundary firewalls and internet gateways - software that intercepts network traffic in and out of a system « Malware protection - software that prevents and removes unwanted programs from a system ¢ Patch management - ensuring the latest updates to software are installed e Secure configuration - ensuring the system is set up with cyber security as a priority Introduction to risk management Risks management • Reducing the probability of risks occurring in the first place, and then if they do occur • Limiting the impact they will have on the business Introduction to risk management Risks management process Awareness and identification Analysis: assessment and measurement Le » eS Avoidance ee Response and control SE aa’ Acceptance _ & a: Monitoring and reporting Introduction to risk management Risk awareness and identification A bottom-up approach A top-down approach Introduction to risk management Risk assessment and measurement Risk assessment For each risk its nature is considered, and the implications it might have for the business achieving its objectives; an initial judgement is then made about the seriousness of the risk. Risk measurement Identifying the probability (likelihood) of the risk occurring, quantifying the resultant impact (consequence) and calculating the amount of the potential loss using expected values for gross risk Gross risk The potential loss associated with the risk, calculated by combining the impact and the probability of the risk, before taking any control measures into account. Introduction to risk management Risk assessment and measurement Significance can be measured in terms of the potential loss arising as a result of the risk, that is its gross risk. Gross risk = Probability x Impact Introduction to risk management Control Physical controls Financial controls System controls Management controls Introduction to risk management Monitoring and reporting risk Monitoring risk should be a continuous, ongoing process • Has corrective action now been taken? Has it been effective? • Was the risk identified in the first place, and if not why not? • If the risk was identified and planned for but the event still occurred is it because early warning indicators were not monitored? • If the response and/or controls were ineffective what changes or new procedures are necessary? Introduction to risk management Crisis management Crisis • An unexpected event that threatens the wellbeing of a business, or a significant disruption to the business and its normal operations which impacts on its customers, employees, investors and other stakeholders. Crisis management • Identifying a crisis, planning a response to the crisis and confronting and resolving the crisis. Introduction to risk management Business resilience • A business's ability to manage and survive against planned or unplanned shocks and disruptions to its operations. Axis 1: Processes and functions that protect the organisation Axis 2: More general ('cross-cutting') characteristics of the organisation that drive resilience • Risk management • Business continuity planning • Security • IT disaster recovery • Health and safety • Crisis management • Internal audit • Governance • The level of trust employees have in the organization and it’s management • The level of trust of customers in the organization • The ability of the organisation to innovate • The extent that organisational values are understood • The extent that organisational values drive employee behaviour • The ability of the organisation to operate risk management • Employee morale • Leadership and senior management involvement Introduction to risk management Business resilience Features of resilient organisations: • Have diversified resources and assets to facilitate alternative approaches and adaption to change • Build strong relationships and networks (both internal and external) • Have the ability to respond rapidly and decisively to an emerging crisis • Have the ability to review and adapt based on experience and changing circumstances Challenges: • Lack of expertise • Lack of input from senior management • Siloes for delivery • Limited sharing of risk information Introduction to risk management Business resilience Four metrics that can be used to measure resilience: • Compliance - how well the organisation complies with its standards and policies • Completeness - the scope of resilience (ie how wide a range of issues is the organisation prepared for) • Value – qualitative and quantitative measures of how well the organisation can meet specific outcomes • Capability - evidence, collected through exercises and reviews, of the extent to which the organisation has put resilience processes and procedures in place Introduction to risk management Business resilience Specific cyber-resilience issues to consider. • Understand where all the information is • Separate systems with different levels of trust • User access rights and obligations • Address specific weaknesses • Cover all key legal issues • Address third party relationships • Conformance assessment and penetration testing • In-house versus external managed security services • Define specific responsibilities • Monitoring and review Introduction to risk management Business resilience Supply chain • is a particular issue for companies that adopt a just-in-time approach to inventory management. • Organisations receive deliveries almost at the point when the materials are needed in the production process and very little if any, spare inventory is held.  Any disruption to the supply chain (such as late deliveries or the failure of a supplier) will have a major impact on production. • The more that companies outsource or work with partners the more they depend on, and therefore must be able to rely on, their supply chain. Introduction to risk management Disaster recovery Disaster: The business's operations, or a significant part of them, break down for some reason, leading to potential losses of equipment, data or funds. A long-term disaster recovery plan will typically provide for. • Standby procedures so that some operations can be performed while normal services are disrupted • Recovery procedures once the cause of the breakdown has been discovered or corrected • Personnel management policies to ensure that the above are implemented properly Introduction to risk management Practice question 2.The head of corporate strategy for Mismus plc is assessing the scale of a particular risk faced by the company. This will depend on which four of the following concepts? A. Probability B. Uncertainty C. Impact D. Volatility E. Appetite F. Exposure Introduction to risk management Practice question 3.Manator Ltd has developed a new product for use in the nuclear power industry. Tests on the product have been successful and the product has been given government approval for use in the UK. However, a vocal group of lobbyists claim there is a danger to human health in the long term if the product leaks into the water supply. The company now has an insurance policy to cover all the company's liabilities in the event of a legal claim against the company following a leakage. Manator Ltd is managing the risk through: A. risk avoidance B. risk reduction C. risk transfer D. risk acceptance Introduction to risk management Practice question 4.Nantos plc has a standby procedure at one of its coal- fired power stations. This ensures that some level of electricity generation will still occur if normal levels of activity are disrupted. This is part of Nantos plc's: A. operational planning B. contingency planning C. crisis management D. disaster recovery planning Introduction to risk management Practice question 7.Grange Ltd's computer systems have recently been affected by hacking with the consequence that its data files have been stolen by criminals. The criminal gang have offered to return the files for a payment of £1 million. Which of the following cyber attacks is Grange Ltd a victim of? A. Webcam manager B. Keylogging C. File hijacking D. Phishing Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Content 1. What is governance? 2. What is corporate governance? 3. Stakeholders' governance needs 4. Symptoms of poor corporate governance 5. What is meant by 'good practice' in corporate governance? 6. The effect of types of financial system on governance 7. Governance structures 8. Ethics, business ethics and an ethical culture Chapter 6.2: Governance, corporate responsibility, sustainability and ethics 'A set of relationships between a company's management, its board, its shareholders and other stakeholder that provides the structure through which the objectives of the company are set attained and monitored'. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Objectives of corporate governance The public policy perspective on corporate governance • The objectives of its shareholders, plus • The interests of other individuals and groups with a direct 'stake' in the company, plus • The interests of the public at large Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Objectives of corporate governance The stakeholder perspective on corporate governance • Encourage the efficient use of resources through efficient investment • Require accountability from the company's senior management to shareholders for the way it has managed and taken care of those resources • Aim to align the interests of shareholders and companies with those of other stakeholders Chapter 6.2: Governance, corporate responsibility, sustainability and ethics What are the symptoms of a serious conflict of interests? • Financial collapse without warning • Directors trying to disguise the true financial performance of the company • Disputes over directors' remuneration • Decisions taken by a board of directors to satisfy their own wish for power and rewards rather than to boost the interests of shareholders Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Stakeholders' governance needs • For their interests and expectations to be reflected in the company's objectives • For the scope for conflicts to be reduced • For the company to adhere to good practice in corporate governance • For the company to adhere to good business ethics Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Symptoms of poor corporate governance • Domination of the board by a single individual or group, with other board members merely acting as a rubber stamp • No involvement by the board: meeting irregularly, failing to consider systematically the organisation's activities and risks, or basing decisions on inadequate information • Inadequate control function, for instance no internal audit, or a lack of adequate technical knowledge in key roles, or a rapid turnover of staff involved in accounting or control • Lack of supervision of employees • Lack of independent scrutiny by external or internal auditors • Lack of contact with shareholders • Emphasis on short-term profitability, leading to concealment of problems or errors, or manipulation of financial statements to achieve desired results • Misleading financial statements and information Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Good practice in corporate governance • Senior management of high quality and able to: • Put into effect the decisions of the board • 'Whistle-blow' on the activities of the company should the need arise • Shareholders who are proactive at meetings and generally ensure that the board is acting in their best interests and within the spirit of good corporate governance • External auditors working on behalf of the shareholders totally independently of the directors when reaching a conclusion as to whether the company's financial statements show a true and fair view • Internal auditors who are independent of the directors as far as possible, reporting to the Audit Committee of the board or to some other committee dominated by non-executives Chapter 6.2: Governance, corporate responsibility, sustainability and ethics The effect of types of financial system on governance There are two broad types of financial system: Bank-based systems Market-based systems Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Bank-based financial systems • Households prefer to bear little risk and so allocate more of their financial assets to cash and cash equivalents • Households have less access to investments in physical assets such as housing • Where households do invest in securities, this is primarily done via intermediaries such as pension and mutual funds, so institutional shareholders are influential • There is comparatively more government regulation, often as a result of historic financial catastrophes • Banks are highly concentrated and integrated in terms of providing both banking and non-banking services • Bank lending is the most important source of business finance, after retained earnings • Banks and businesses are highly integrated: banks have a long-term relationship with the businesses they lend to, usually cemented by the bank • Markets are volatile and speculative because companies are dependent on bank finance and thus have high gearing Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Governance structures There are two basic governance structures: • Statutes • Codes of practice Different countries use different combinations of statutes and codes of practice, depending in part on whether they have principles-based or a shareholder led approach to governance structures. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Principles - based approach to governance structures • Promote transparent and efficient financial markets • Protect and facilitate shareholders' rights, including the following basic rights • Ensure the equitable treatment of all shareholders, including minority and foreign shareholders. • Recognise the rights of stakeholders established by law or through mutual agreements • Ensure that timely and accurate disclosure is made on all material matters, including the company's. • Ensure the strategic guidance of the company by the board, the effective monitoring of management by the board, and the board's accountability. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Governance structures • The need for and status of the external audit • The need for an effective approach to the provision of analysis or advice by analysts, brokers, rating agencies and others, that is: • Relevant to decisions by investors • Free from material conflicts of interest that might compromise the integrity of their analysis or advice Chapter 6.2: Governance, corporate responsibility, sustainability and ethics The governance structure of the UK Rules on corporate governance, especially with regard to: • The board of directors (a unitary board is required) • Directors' powers and duties • The relationship of the company with directors, such as loans to directors and the interests of directors in company contracts • Accountability for stewardship and financial reporting via the financial statements • Rules on meetings and resolutions Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Listed companies are regulated by the FCA's UKLA • Comply with the main principles of the FRC's UK Corporate Governance Code 2014 contained in the UKLA Listing Rules , and either • Comply with the supporting provisions of the Code, or • Explain why they have not so complied. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Ethics, business ethics and an ethical culture Ethical culture: A business culture where the basic values and beliefs in a company encourage people within the company to behave ethical • Integrity • Objectivity • Accountability • Openness • Honesty Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Acceptable business ethics may comprise as a minimum: • Paying staff decent wages and pensions • Providing good working conditions for staff • Paying suppliers in line with agreed terms • Sourcing supplies carefully • Using sustainable or renewable resources • Being open and honest with customers Chapter 6.2: Governance, corporate responsibility, sustainability and ethics How can an ethical culture be promoted? • Ethical leadership from the board of directors • Codes of ethics or business conduct • Policies and procedures to support ethical behaviour Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Ethical leadership from the board of directors Attributes Behaviours Openness Be open minded and willing to learn, and encourage others to learn. Courage Be determined and direct; actively stamp out poor behaviour. Ability to listen Be aware of what is going on and know that doing the right thing is the right thing to do. Honesty Be considerate and cautious in managing expectations. Fair mindedness Be independent and willing to challenge the status quo. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Codes of ethics or business conduct A company should have three objectives for a code of ethics in mind: • To improve behaviour • To build the company's reputation and the trust of stakeholders in the company • To improve performance and build value Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Employees who make the decision to 'blow the whistle' are driven to do so by their own moral values and their need to 'do the right thing', but they will normally only do so once they have tried but failed to get the problems addressed internally. Chapter 6.2: Governance, corporate responsibility, sustainability and ethics Policies and procedures to support ethical behaviour • Active leadership by managers • Consultation and communication procedures so everyone is aware of the code of ethics • Piloting of the code in draft form so that people have an input to its content • Review of the code so that it retains its position at the heart of how the company actually does business • Training • Speak-up lines/helplines for internal whistle-blowing • Performance appraisals incorporating values • Remuneration policies not cutting across values • Disciplinary policies enforcing values • Monitoring of how ethical behaviour is taking place • Audit and assurance regarding values • Reporting regularly • Complaints systems that help employees to draw attention to unethical behaviour • An explicitly stated duty to report breaches of specific ethical requirements Chapter 6.2: Governance, corporate responsibility, sustainability and ethics ICAEW members and business ethics Environmental management systems (EMS) consist of procedures for compliance with a number of stated environmental policy objectives and targets, and therefore they assist the business in promoting sustainability and corporate responsibility. As well as documenting system procedures and instructions Practice question 1.The agency problem underlies the need for sound corporate governance. In this context, the 'agents' are the company's: A. customers B. shareholders C. Directors D. auditors Practice question 2. Which of the following pairs of factors are likely to enable managers to run a company in their own interests? A. Low levels of management accountability and shareholder access to the same information as management B. High levels of management accountability and management access to better information than the shareholders C. High levels of management accountability and shareholder access to the same information as management D. Low levels of management accountability and management access to better information than the shareholders Practice question 5.According to the Organisation for Economic Cooperation and Development (OECD) Principles of Corporate Governance, companies must protect and facilitate which two of the following shareholder rights? A. The right to receive all the company's profits B. The right to real-time information concerning the company C.The right to participate in and vote at semi-annual select meetings D. The right to have secure methods of ownership registration E. The right to elect and remove members of the board Practice question 6.Which three of the following attributes and behaviours are identified by the Institute of Business Ethics as being typical of ethical business leaders? A. Openness B. Integrity C. Ability to listen D. Courage E. Accountability Practice question 7. The country of Zooland has a bank-based financial system. Its financial system will be characterised by: A. comparatively more government regulation than a market- based system B. comparatively less close relationships between banks and businesses than in a market-based system C. comparatively less integration of banking and non-banking services than in a market-based system D. households with greater access to investment in physical assets than in a market-based system