Internal control systems

In this chapter we cover the main elements of internal control and risk
management frameworks. You will have encountered internal controls in your
auditing studies. In this chapter we take an overview of the main frameworks
rather than looking at controls in detail.
The UK Turnbull report has provided a lot of useful guidance on internal control,
which is referred to in this and other chapters. Turnbull stresses the importance
of control systems as means of managing risks. In Section 3 we introduce the
very important COSO enterprise risk management framework.
Chapters 5 to 8 of
this text discuss in detail the elements this framework identifies.
In Section 4 we cover other international control frameworks, which each
provide slightly different perspectives.
This is a very important chapter. The examiner has stressed how important a
sound system of internal control is.

Study guide

    Intellectual level
B1 Management control systems in corporate governance
(a) Define and explain internal management control. 2
(b) Explain and explore the importance of internal control and risk management in corporate governance. 3
(c) Describe the objectives of internal control systems and how they can help prevent fraud and error. 2
(e) Identify and assess the importance of elements or components of internal control systems. 3
B2 Internal control, audit and compliance in corporate governance
(e) Explore and evaluate the effectiveness of internal control systems. 3

Exam guide

You may be asked to provide an appropriate control framework for an organisation or assess a framework that is described in a scenario. Look out in particular for whether the underlying control environment appears to be sound.

1 Purposes of internal control systems


Internal controls should help organisations counter risks, maintain the quality of financial reporting and comply with laws and regulations. They provide reasonable assurance that organisations will fulfil their strategic objectives.

Key term          An internal control is any action taken by management to enhance the likelihood that established

objectives and goals will be achieved. Control is the result of proper planning, organising and directing by

management.                                                                (Institute of Internal Auditors)

                                1.1 Internal management control                                     12/14

Internal management control can be viewed as management planning, organising and directing performance so that organisational objectives are achieved. Planning and organising includes establishing objectives, determining and obtaining the resources required to fulfil objectives and defining the policies and procedures that will be used in the organisation’s operations. Directing means ensuring resources are used efficiently and effectively, and also ensuring that operational tasks are carried out in line with the established procedures and policies.

1.1.1 The process of control

The cybernetic control model describes the process of control. A general cybernetic control model has six key stages:

Identification of objectives Objectives for the process being controlled must exist, for without an aim or purpose control has no meaning. Objectives are set in response to environmental pressures such as customer demand.
Setting targets  A target or prediction of the process being controlled is required so that managers can see whether or not objectives have been achieved and whether action will be needed to remedy problems. Targets could include budgets or cost standards.


The output of the process must be measurable.
Comparing achievements with targets Managers need to compare the actual outcomes of the process with the plan – this is known as obtaining feedback.
Identifying corrective action It must be possible to take action so that failures to meet objectives can be reduced or eliminated.
Implementing corrective action Action could involve changing objectives, resource inputs, the process or the whole system
1.1.2 Important features of control systems

Fisher has suggested that management control systems can be viewed in terms of the following criteria.

  • Flexibility and ease of achievement of targets
  • Relative importance of numerical and subjective performance measures
  • Relative importance of short- and long-term measures
  • Consistency of measures used across the organisation
  • Whether management actively intervenes or intervenes by exception
  • How automatic control mechanisms are
  • Extent of participation below top management  Extent of reliance on social relationships

                                  1.2 Effectiveness of control systems                               12/07

In order for internal controls to function properly, they have to be well directed. Managers and staff will be more able (and willing) to implement controls successfully if it can be demonstrated to them what the objectives of the control systems are. Objectives also provide a yardstick for the board when they come to monitor and assess how controls have been operating.

                                 1.3 Purposes of control systems                                       12/07

The UK Turnbull report provides a helpful summary of the main purposes of an internal control system.

Turnbull comments that internal control consists of ‘the policies, processes, tasks, behaviours and other aspects of a company that taken together:

  • Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.
  • Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation.
  • Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of businesses.’
1.3.1 Characteristics of internal control systems

The Turnbull report summarises the key characteristics of the internal control systems. They should:

  • Be embedded in the operations of the company and form part of its culture
  • Be capable of responding quickly to evolving risks within the business
  • Include procedures for reporting immediately to management significant control failings and weaknesses together with control action being taken

We shall talk more about each of these later in this text.

The Turnbull report goes on to say that a sound system of internal control reduces but does not eliminate the possibilities of losses arising from poorly judged decisions, human error, deliberate circumvention of controls, management override of controls and unforeseeable circumstances. Systems will provide reasonable (not absolute) assurance that the company will not be hindered in achieving its business objectives and in the orderly and legitimate conduct of its business, but won’t provide certain protection against all possible problems.

1.4 Risk

The Turnbull guidance and other guidance on control systems places great emphasis on how control systems deal with risk. In the next few chapters therefore much of our discussion will focus on risk.

Risk is a condition in which there exists a quantifiable dispersion in the possible results of any activity.

Hazard is the impact if the risk materialises.

Uncertainty means that you do not know the possible outcomes and the chances of each outcome occurring.

Key terms

In other words, risk is the probability, hazard is the consequences, of results deviating from expectations. However, risk is often used as a generic term to cover hazard as well.



Question Risks
What sort of risks might an organisation face?  


Make your own list, specific to the organisations that you are familiar with. Here is a list extracted from an article by Tom Jones, ‘Risk Management’ (Administrator, April 1993). It is illustrative of the range of risks faced and is not exhaustive.

  • Fire, flood, storm, impact, explosion, subsidence and other disasters
  • Accidents and the use of faulty products
  • Error: loss through damage or malfunction caused by mistaken operation of equipment or wrong operation of an industrial programme
  • Theft and fraud
  • Breaking social or environmental regulations
  • Political risks (the appropriation of foreign assets by local governments or of barriers to the repatriation of overseas profit)
  • Computers: fraud, viruses and espionage
  • Product tamper
  • Malicious damage


1.4.1 Types of risk

There are various types of risk that exist in business and in life generally.

Key terms Fundamental risks are those that affect society in general, or broad groups of people, and are beyond the

control of any one individual. For example, there is the risk of atmospheric pollution which can affect the health of a whole community but which may be quite beyond the power of an individual within it to control.

Particular risks are risks over which an individual may have some measure of control. For example, there is a risk attached to smoking and we can mitigate that risk by refraining from smoking.

Speculative risks are those from which either good or harm may result. A business venture, for example, presents a speculative risk because either a profit or loss can result.

Pure risks are those whose only possible outcome is harmful. The risk of loss of data in computer systems caused by fire is a pure risk because no gain can result from it.


Exam focus        It is important to emphasise that not all risks are pure risks. Plenty of risks have favourable as well as point              adverse consequences. As we shall see, businesses will take positive as well as negative impacts into account when deciding how risks should be managed.

1.5 Risk and business

A key point to emphasise is that risk is bound up with doing business. The basic principle is that ‘you have to speculate to accumulate’.

It may not be possible to eliminate risks without undermining the whole basis on which the business operates, or without incurring excessive costs and insurance premiums. Therefore in many situations there is likely to be a level of residual risk which it is simply not worth eliminating.

There are some benefits to be derived from the management of risk, possibly at the expense of profits, such as:

  • Predictability of cash flows
  • Limitation of the impact of potentially bankrupting events
  • Increased confidence of shareholders and other investors

However, boards should not just focus on managing negative risks but should also seek to limit uncertainty and to manage speculative risks and opportunities in order to maximise positive outcomes and hence shareholder value.   

In its Risk Management Standard, the Institute of Risk Management linked key value drivers for a business with major risk categories.

During 2007 a number of UK Government departments suffered security breaches relating to the sensitive personal data they stored. Some criticisms were made of the security of the computer systems; for example, the failure to encrypt information properly.

However, the most serious breaches related to simple errors, which elaborate computer applications could not prevent. The most notorious error related to the loss of personal data of every child benefit claimant (around 25 million). The material was sent between government departments on two disks, using the ordinary postal system, but was delayed en route.


1.6 Risk and corporate governance

One obvious link between risk and corporate governance is the issue of shareholders’ concerns, here about the relationship between the level of risks and the returns achieved, being addressed.

A further issue is the link (or lack of) between directors’ remuneration and risks taken. If remuneration does not link directly with risk levels, but does link with turnover and profits achieved, directors could decide that the company should bear risk levels that are higher than shareholders deem desirable. It has therefore been necessary to find other ways of ensuring that directors pay sufficient attention to risk management and do not take excessive risks. Corporate governance guidelines therefore require directors to:

  • Establish appropriate control mechanisms for dealing with the risks the organisation faces
  • Monitor risks themselves by regular review and a wider annual review
  • Disclose their risk management processes in the accounts

Exam focus         Particularly important areas include safeguarding of shareholders’ investment and company assets, point      facilitation of operational effectiveness and efficiency, and contribution to the reliability of reporting.

2 Internal control frameworks 12/08, 12/14


The internal control framework includes the control environment and control procedures. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system.  

2.1 Need for control framework

Organisations need to consider the overall framework of controls, since controls are unlikely to be very effective if they are developed sporadically around the organisation and their effectiveness will be very difficult to measure by internal audit and ultimately by senior management.

2.2 Control environment and control procedures

Key terms                 The internal control framework comprises the control environment and control procedures. It includes

all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including:

  • Adherence to internal policies
  • The safeguarding of assets
  • The prevention and detection of fraud and error
  • The accuracy and completeness of the accounting records
  • The timely preparation of reliable financial information

Internal controls may be incorporated within computerised accounting systems. However, the internal control system extends beyond those matters which relate directly to the accounting system.

Perhaps the simplest framework for internal control draws a distinction between:

  • Control or internal environment – the overall context of control, in particular the culture, infrastructure and architecture of control and attitude of directors and managers towards control (discussed in Chapter 5)
  • Control procedures – the detailed controls in place (discussed in Chapter 7) The Turnbull report also highlights the importance of:
  • Information and communication processes (covered in Chapter 8)
  • Processes for monitoring the continuing effectiveness of the system of internal control (covered in Chapter 8)

2.3 Purposes of internal control framework

  • Achieving orderly conduct of business

Internal controls should ensure the organisation’s operations are conducted effectively and efficiently. In particular they should enable the organisation to respond appropriately to business, operational, financial, compliance and other risks to achieving its objectives.

  • Adherence to internal policies and laws

Controls should ensure that the organisation and its staff comply with applicable laws and regulations, and that staff comply with internal policies with respect to the conduct of the business.

  • Safeguarding assets

Controls should ensure that assets are optimally utilised and stop assets being used inappropriately. They should prevent the organisation losing assets through theft or poor maintenance.

  • Prevention and detection of fraud

Controls should include measures designed to prevent fraud, such as segregation of duties and checking references when staff are recruited. The information that systems provide should highlight unusual transactions or trends that may be signs of fraud.

  • Accuracy and completeness of accounting records

Controls should ensure that records and processes are kept that generate a flow of timely, relevant and reliable information that aids management decision-making.

  • Timely preparation of reliable financial information

They should ensure that published accounts give a true and fair view, and other published information is reliable and meets the requirements of those stakeholders to whom it is addressed.

Exam focus         There may be some marks available for a general description of key features of a business’s control point   systems, or its objectives (tested in December 2008).

2.4 Internal control frameworks and risk

Turnbull states that in order to determine its policies in relation to internal control and decide what constitutes a sound system of internal control, the board should consider:

  • The nature and extent of risks facing the company
  • The extent and categories of risk which it regards as acceptable for the company to bear
  • The likelihood of the risks concerned materialising
  • The company’s ability to reduce the incidence and impact on the business of risks that do materialise  The costs of operating particular controls relative to the benefits obtained in managing the related risks

Exam focus         December 2008 Question 3 asked for a description of the objectives of internal control. point

Turnbull goes on to stress that an organisation’s risks are continually changing, as its objectives, internal organisation and business environment are continually evolving. New markets and new products bring further risks and also change overall organisation risks. Diversification may reduce risk (the business is not overdependent on a few products) or may increase it (the business is competing in markets in which it is ill equipped to succeed). Therefore the organisation needs to constantly re-evaluate the nature and extent of risks to which it is exposed.

COSO points out that an organisation needs to establish clear and coherent objectives in order to be able to tackle risks effectively. The risks that are important are those that are linked with achievement of the organisation’s objectives. In addition, there should be control mechanisms that identify and adjust for the risks that arise out of changes in economic, industry, regulatory and operating conditions.

                                 2.5 Challenges in developing internal control    6/08, 6/09, 12/11, 12/13

Guidance from the Committee of Sponsoring Organisations of the Treadway Commission (COSO – discussed below) has highlighted a number of potential problems that smaller companies may face when developing internal control. These include:

  • Insufficient staff resources to maintain segregation of duties
  • Domination of activities by management, with significant opportunities for management override of controls. This arises from smaller companies having fewer levels of management with wider spans of control and their managers having significant ownership interests or rights
  • Inability to recruit directors with the requisite financial reporting or other expertise
  • Inability to recruit and retain staff with sufficient knowledge of, and experience in, financial reporting
  • Management having a wide range of responsibilities and thus having insufficient time to focus on accounting and financial reporting
  • Control over computer information systems with limited in-house technical expertise

                                 2.6 Limitations of internal controls         6/08, 6/09, 12/11, 12/12

In addition, an internal control framework in any organisation can only provide the directors with reasonable assurance that their objectives are reached, because of inherent limitations, including:

  • The costs of control not outweighing their benefits; sometimes setting up an elaborate system of controls will be too costly when compared with the financial losses those controls may prevent  Poor judgement in decision-making
  • The potential for human error or fraud
  • Collusion between employees
  • The possibility of controls being bypassed or overridden by management or employees
  • Controls being designed to cope with routine and not non-routine transactions
  • Controls being unable to cope with unforeseen circumstances
  • Controls depending on the method of data processing – they should be independent of the method of data processing
  • Controls not being updated over time



A large college has several sites and employs hundreds of teaching staff. The college has recently discovered a serious fraud involving false billings for part-time teaching.

The fraud involved two members of staff. M is a clerk in the payroll office who is responsible for processing payments to part-time teaching staff. P is the head of the Business Studies department at the N campus. Part-time lecturers are required to complete a monthly claim form which lists the classes taught and the total hours claimed. These forms must be signed by their head of department, who sends all signed forms to M. M checks that the class codes on the claim forms are valid, that hours have been budgeted for those classes and inputs the information into the college’s payroll package.

The college has a separate personnel department that is responsible for maintaining all personnel files. Additions to the payroll must be made by a supervisor in the personnel office. The payroll package is programmed to reject any claims for payment to employees whose personnel files are not present in the system.

M had gained access to the personnel department supervisor’s office by asking the college security officer for the loan of a pass key because he had forgotten the key to his own office. M knew that the office would be unoccupied that day because the supervisor was attending a wedding. M logged onto the supervisor’s computer terminal by guessing her password, which turned out to be the registration number of the supervisor’s car. M then added a fictitious part-time employee, who was allocated to the N campus Business Studies department.

P then began making claims on behalf of the fictitious staff member and submitting them to M. M signed off the forms and input them as normal. The claims resulted in a steady series of payments to a bank account that had been opened by P. The proceeds of the fraud were shared equally between M and P.

The fraud was only discovered when the college wrote to every member of staff with a formal invitation to the college’s centenary celebration. The letter addressed to the fictitious lecturer was returned as undeliverable and the personnel department became suspicious when they tried to contact this person in order to update his contact details. By then M and P had been claiming for non-existent teaching for three years without detection by external or internal audit.


Evaluate the difficulties in implementing controls that would have prevented and detected this fraud.



Small amounts

The college employs hundreds of teaching staff on full- and part-time contracts. Payments for one fictitious employee would not be large enough to attract the attention of internal auditors automatically. Even if auditors had checked a random sample of payments each year, given the large population the probability was that the fictitious employee would not be discovered for some time, as indeed happened.

Falsification of records

The records of the employee appeared to be genuine and a routine payment to a lecturer, entered on the payroll supervisor’s log-in and signed off by P. There was nothing unusual about these payments that anyone reviewing them could have identified.

Use of payroll supervisor’s log-on

The payroll supervisor would normally have been the third person involved with this transaction because of their involvement at the initial stage. However, P was able to bypass the need for the supervisor’s involvement by taking advantage of her absence and correctly guessing how to enter the computer on the supervisor’s password.


Once the fictitious lecturer’s details had been entered, the college’s systems meant that two people had to be involved for each payment to a lecturer to be made, the head of department and the payroll clerk. The involvement of both in the fraud meant that the segregation of duties between the two staff, that P authorised the payment and M entered it, was lost.

Involvement of senior staff

The system also depended on the authorisation of payments by P. The system would have produced for P a record of the lecturers who had been paid for working in P’s department. However, review of this by P would have been worthless, as he would not have reported the fictitious lecturer. The system effectively relied on P’s honesty. Many systems are designed on the basis that senior staff act honestly. As P had been appointed to a senior position, there presumably was no indication in his previous record that suggested he could not be trusted.


Question 1 in June 2008 asked about the problems of applying internal controls to subcontractors.
Exam focus point

3 COSO’s framework


COSO’s enterprise risk management framework provides a coherent framework for organisations to deal with risk, based on the following components.

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communications
  • Monitoring activities

COCO is an alternative framework that emphasises the importance of the commitment of those operating the system.

                                3.1 Nature of enterprise risk management                      6/14

We have seen that internal control systems should be designed to manage risks effectively. There are various frameworks for risk management, but we shall be looking in particular at the framework established by the Committee of Sponsoring Organisations of the Treadway Commission (COSO).

COSO published guidance on internal control, Internal Control – Integrated Framework, in 1992. It published wider guidance on Enterprise Risk Management in 2004. In 2006 COSO issued Internal Control over Financial Reporting – Guidance for Smaller Companies. This guidance was designed to supplement the guidance in Internal Control – Integrated Framework, in the light of the requirement in s 404 of the Sarbanes-Oxley legislation for management of public companies to assess and report on the effectiveness of internal control over financial reporting. An updated version of the framework was issued in 2013 to reflect the increasingly global nature of business activity, the impact of technological advances, the increasing complexity of rules and regulations, and stakeholder concerns over risk management and the prevention of fraud.

Key terms            Enterprise risk management is a process, effected by an entity’s board of directors, management and

other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Internal control is a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories.

  • Effectiveness and efficiency of operations
  • Reliability of reporting
  • Compliance with laws and regulations         COSO

COSO states that enterprise risk management has the following characteristics.

  • It is a process, a means to an end, which should ideally be intertwined with existing operations and exist for fundamental business reasons.
  • It is operated by people at every level of the organisation and is not just paperwork. It provides a mechanism for helping people to understand risk, their responsibilities and levels of authority.
  • It is applied in strategy setting, with management considering the risks in alternative strategies.
  • It is applied across the enterprise. This means it takes into account activities at all levels of the organisation, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities and business processes. It includes taking an entity-level portfolio view of risk. Each unit manager assesses the risk for their unit. Senior management ultimately consider these unit risks and also interrelated risks. Ultimately they will assess whether the overall risk portfolio is consistent with the organisation’s risk appetite.
  • It is designed to identify events potentially affecting the entity and manage risk within its risk appetite, the amount of risk it is prepared to accept in pursuit of value. The risk appetite should be aligned with the desired return from a strategy.
  • It provides reasonable assurance to an entity’s management and board. Assurance can at best be reasonable since risk relates to the uncertain future.
  • It is geared to the achievement of objectives in a number of categories, including supporting the organisation’s mission, making effective and efficient use of the organisation’s resources, ensuring reporting is reliable, and complying with applicable laws and regulations.

Because these characteristics are broadly defined, they can be applied across different types of organisations, industries and sectors. Whatever the organisation, the framework focuses on achievement of objectives.

An approach based on objectives contrasts with a procedural approach based on rules, codes or procedures. A procedural approach aims to eliminate or control risk by requiring conformity with the rules. However, a procedural approach cannot eliminate the possibility of risks arising because of poor management decisions, human error, fraud or unforeseen circumstances arising. 

3.2 Framework of enterprise risk management

The COSO framework consists of five interrelated components.

Component Explanation
Control environment (Chapter 5) This covers the tone of an organisation, and sets the basis for how risk is viewed and addressed by an organisation’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. The board’s attitude, participation and operating style will be a key factor in determining the strength of the control environment. An unbalanced board, lacking appropriate technical knowledge and experience, diversity and strong, independent voices is unlikely to set the right tone.

The example set by board members may be undermined by a failure of management in divisions or business units. Mechanisms to control line management may not be sufficient or may not be operated properly. Line managers may not be aware of their responsibilities or may fail to exercise them properly.

Risk assessment

(Chapters 6 and 7)

Risks are analysed considering likelihood and impact as a basis for determining how they should be managed. The analysis process should clearly determine which risks are controllable, and which risks are not controllable.

The COSO guidance stresses the importance of employing a combination of qualitative and quantitative risk assessment methodologies. As well as assessing inherent risk levels, the organisation should also assess residual risks left after risk management actions have been taken. Risk assessment needs to be dynamic, with

managers considering the effect of changes in the internal and external environments that may render controls ineffective.

Control activities 

(Chapter 7)

Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. COSO guidance suggests that a mix of controls will be appropriate, including prevention and detection and manual and automated controls. COSO also stresses the need for controls to be performed across all levels of the organisation, at different stages within business processes and over the technology environment.
Component Explanation
Information and communication

(Chapter 8)

Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. The information provided to management needs to be relevant and of appropriate quality. It also must cover all the objectives shown on the top of the cube.

Effective communication should be broad – flowing up, down and across the entity. There needs to be communication with staff. Communication of risk areas that are relevant to what staff do is an important means of strengthening the internal environment by embedding risk awareness in staff’s thinking. There should also be effective communication with third parties such as shareholders and regulators.

Monitoring activities (Chapter 8) Risk control processes are monitored and modifications are made if necessary. Effective monitoring requires active participation by the board and senior management, and strong information systems, so the data senior managers need is fed to them.

COSO has drawn a distinction between regular review (ongoing monitoring) and periodic review (separate evaluation). However weaknesses are identified, the guidance stresses the importance of feedback and action. Weaknesses should be reported, assessed and their root causes corrected.

Diagrammatically all the above may be summarised as follows.

Benefits of enterprise risk management                                                    6/09

COSO highlights a number of advantages of adopting the process of enterprise risk management.

Alignment of risk appetite and strategy The framework demonstrates to managers the need to consider risk toleration. They then set objectives aligned with business strategy and develop mechanisms to manage the accompanying risks and to ensure risk management becomes part of the culture of the organisation, embedded into all its processes and activities.
Link growth, risk and return Risk is part of value creation, and organisations will seek a given level of return for the level of risk tolerated.
Choose best risk response Enterprise risk management helps the organisation select whether to reduce, eliminate or transfer risk.
Minimise surprises and losses By identifying potential loss-inducing events, the organisation can reduce the occurrence of unexpected problems.
Identify and manage risks across the organisation As indicated above, the framework means that managers can understand and aggregate connected risks. It also means that risk management is seen as everyone’s responsibility, experience and practice is shared across the business and a common set of tools and techniques is used.
Provide responses to multiple risks For example risks associated with purchasing, over- and undersupply, prices and dubious supply sources might be reduced by an inventory control system that is integrated with suppliers.
Seize opportunities By considering events as well as risks, managers can identify opportunities as well as losses.
Rationalise capital  Enterprise risk management allows management to allocate capital better and make a sounder assessment of capital needs.


                                 3.4 Criticisms of enterprise risk management

There have been some criticisms made of COSO’s framework:

  • Internal focus

One criticism of the ERM model has been that it starts at the wrong place. It begins with the internal and not the external environment. Critics claim that it does not reflect sufficiently the impact of the competitive environment, regulation and external stakeholders on risk appetite and management and culture.

  • Risk identification

The ERM has been criticised for discussing risks primarily in terms of events, particularly sudden events with major consequences. Critics claim that the guidance insufficiently emphasises slow changes that can give rise to important risks; for example, changes in internal culture or market sentiment.

  • Risk assessment

The ERM model has been criticised for encouraging an oversimplified approach to risk assessment. It has been claimed that the ERM encourages an approach which thinks in terms of a single outcome of a risk materialising. This outcome could be an expected outcome or it could be a worst-case result. Many risks will have a range of possible outcomes if they materialise, for example extreme weather, and risk assessment needs to consider this range.

  • Stakeholders

The guidance fails to discuss the influence of stakeholders, although many risks that organisations face are due to a conflict between the organisation’s objectives and those of its stakeholders.

                                 3.5 Impacts of enterprise risk management

Although COSO’s guidance is non-mandatory, it has been influential because it provides frameworks against which risk management and internal control systems can be assessed and improved. Corporate scandals, arising in companies where risk management and internal control were deficient, and attempts to regulate corporate behaviour as a result of these scandals have resulted in an environment where guidance on best practice in risk management and internal control has been particularly welcome.

3.6 The COCO framework

A slightly different framework is the criteria of control or COCO framework developed by the Canadian Institute of Chartered Accountants (CICA).

3.6.1 Purpose

The COCO framework stresses the need for all aspects of activities to be clearly directed with a sense of purpose. This includes:

  • Overall objectives, mission and strategy
  • Management of risk and opportunities
  • Policies
  • Plans and performance measures

The corporate purpose should drive control activities and ensure controls achieve objectives.

3.6.2 Commitment

The framework stresses the importance of managers and staff making an active commitment to identify themselves with the organisation and its values, including ethical values, authority, responsibility and trust.

3.6.3 Capability

Managers and staff must be equipped with the resources and competence necessary to operate the control systems effectively. This includes not just knowledge and resources but also communication processes and co-ordination.

3.6.4 Action

If employees are sure of the purpose, are committed to do their best for the organisation and have the ability to deal with problems and opportunities then the actions they take are more likely to be successful. 3.6.5 Monitoring and learning

An essential part of commitment to the organisation is a commitment to its evolution. This includes:

  • Monitoring external environments
  • Monitoring performance
  • Reappraising information systems
  • Challenging assumptions
  • Reassessing the effectiveness of internal controls

Above all each activity should be seen as part of a learning process that lifts the organisation to a higher dimension. 

This emphasises the importance of feedback and continuous improvement in control systems and is something worth looking for in exam scenarios – whether the organisation appears capable of making essential improvements.
Exam focus point

4 Evaluating control systems

A number of factors should be considered when evaluating control systems.


                                  4.1 Principles or rules                                                             6/10

We discussed whether to adopt a principles- or rules-based approach to corporate governance in Chapter 2. This debate is particularly significant for internal controls.

Having rules requiring organisations to implement internal controls should mean that controls are applied consistently by organisations. External stakeholders dealing with these organisations will have the assurance that they should have certain prescribed controls in place. However, this does not mean that all organisations will be operating the same controls with the same effectiveness.

A principles-based approach to internal control implementation means that organisations can adopt controls that are most appropriate and cost effective for them, based on their size and risk profile and the sector in which they operate.

4.2 Assessment of control systems

We shall look in detail at the different elements of risk management and control systems in later chapters, but the following general points apply to review of control systems.

4.2.1 Objectives

The controls in place need to help the company fulfil key business objectives, including conducting its operations efficiently and effectively, safeguarding its assets and responding to the significant risks it faces.

4.2.2 Links with risks

Links between controls and risks faced are particularly important, with the organisation needing a clear framework for dealing effectively with risks. Key elements are the board defining risk appetite, which will determine which risks are significant. There need to be reliable systems in place for identifying and assessing the magnitude of risks.

4.2.3 Control system compatibility

Guidance on control procedures needs to be supported by other aspects of the control system, and the overall systems need to deliver a consistent message about the importance of controls. Human resource policies and the company’s performance reward systems should provide incentives for good behaviour and deal with flagrant breaches.

4.2.4 Mix of controls

Detailed controls at the transaction level will not make all that much difference unless there are other controls further up the organisation. There should ideally be a pyramid of controls in place, ranging from corporate controls at the top of an organisation (for example ethical codes), management controls (budgets), process controls (authorisation limits) and transaction controls (completeness controls). Controls shouldn’t just cover the financial accounting areas, but should include non-financial controls as well.

4.2.5 Human resource issues

How well control procedures operate will also be determined by the authority and abilities of the individuals who operate the controls. There need to be clear job descriptions that identify how much authority and discretion individuals have at different levels of the organisation. Controls can be also be undermined if the people who operate them make mistakes. Therefore managers and staff need to have the requisite knowledge and skills to be able to operate controls effectively. Documentation and training will be required, and individuals’ abilities assessed on a continuing basis as part of the appraisal process.

4.2.6 Control environment

The control environment (discussed further in the next chapter) matters because the company’s culture will determine how seriously control procedures are taken. If there is evidence that directors are overriding controls, this will undermine them. If staff resent controls, they may be tempted to collude to render controls ineffective.

4.2.7 Review of controls

Directors should demonstrate their commitment to control by reviewing internal controls.

4.2.8 Information sources

In order to carry out effective reviews of controls, the board needs to ensure it is receiving sufficient information. There should be a system in place of regular reporting by subordinates and control functions as well as reports on high-risk activities. The board also needs to receive confirmation that weaknesses identified in previous reviews have been resolved. Finally there needs to be clear systems of reporting problems to the board.

4.2.9 Feedback and response

A basic principle of control system design is that the feedback received should be used as the basis for taking action to change the controls or modify the overall control systems. There should be rapid responses if serious problems are picked up, for example involvement of senior management in reviewing possible fraud.

4.2.10 Costs and benefits

Rational consideration of whether the costs of operating controls are worth the benefits of preventing and detecting problems should be an integral part of the board’s review process. Directors may decide not to operate certain controls on the grounds that they are prepared to accept the risks of not doing so.


Question   Models
What are the most important features highlighted by risk management models?  


The following strike us as significant. You may well have come up with other points.

  • Risk management is a circular, continuous process, feeding on itself with the aim of ensuring continuous improvement.
  • The different faces of the COSO model emphasise the need for setting objectives at different levels, and for risk management to be effective in each business unit, division, etc.
  • COCO emphasises the need for staff to have the right attitudes, commitment and experience.
  • The approaches stress the need for monitoring by the board.


Chapter Roundup

Internal controls should help organisations counter risks, maintain the quality of financial reporting and comply with laws and regulations. They provide reasonable assurance that organisations will fulfil their strategic objectives.
The internal control framework includes the control environment and control procedures. Other important elements are the risk assessment and response processes, the sharing of information and monitoring the environment and operation of the control system. 






COSO’s enterprise risk management framework provides a coherent framework for organisations to deal with risk, based on the following components.

–             Control environment

–             Risk assessment

–             Control activities

–             Information and communications

–             Monitoring activities

COCO is an alternative framework that emphasises the importance of the commitment of those operating the system.

A number of factors should be considered when evaluating control systems.

Quick Quiz

  • What according to Turnbull should a good system of internal control achieve?
  • Lack of flexibility is an important criticism of a rules-based approach to internal control.



  • What according to COSO are the key characteristics of enterprise risk management?
  • What are the key stages of the cybernetic control system?
  • Fill in the blank:

…………………………………. risks are risks from which good or harm may result.

  • What are the four components of risk management identified by IFAC?
  • Fill in the blank:

…………………………………. is the impact of a risk materialising.

  • Fill in the blank:

…………………………………. is the overall context of control, the culture, infrastructure and architecture of control, and attitude of directors or managers towards control.

Answers to Quick Quiz

  •  Facilitate effective and efficient operation by enabling it to respond to significant risks
    • Help ensure the quality of internal and external reporting
    • Help ensure compliance with applicable laws and regulations
  • True
  •  Process 
  • Identifies significant events
    • Operated by people at every level 
    • Provides reasonable assurance
    • Applied in strategy setting 
    • Geared to the achievement of objectives 
    • Applied across the organisation
  •  Identification of system objectives
    • Setting targets for systems objectives
    • Measuring achievements/outputs of the system
    • Comparing achievements with targets
    • Identifying corrective action
  • Speculative
    Implementing corrective action
  •  Structure
    • Resources
    • Culture
    • Tools and techniques 7 Hazard

8         Control environment



Number Level Marks Time
Q4 Examination 25 49 mins


05 Risk attitudes and internal environment

Study guide

    Intellectual level
B1 Management control systems in corporate governance  
(d) Identify, explain and evaluate the corporate governance and executive management roles in risk management (in particular the separation between responsibility for ensuring that adequate risk management systems are in place and the application of risk management systems and practices in the organisation). 3
(e) Identify and assess the importance of elements or components of internal control systems. 3
C1 Risks and the risk management process  
(a) Define and explain risk in the context of corporate governance. 2
(b) Define and describe management responsibilities in risk management. 2
C3 Identification, assessment and measurement of risk  
(a) Identify, and assess the impact on, the stakeholders involved in business risk. 3
D1 Targeting and monitoring of risk  
(a) Explain and assess the role of a risk manager in identifying and monitoring risk. 3
(b) Explain and evaluate the role of the risk committee in identifying and monitoring risk. 3
D2 Methods of controlling and reducing risks  
(a) Explain the importance of risk awareness at all levels of an organisation. 2
(b) Describe and analyse the concept of embedding risk in an organisation’s systems and procedures. 3
(c) Describe and evaluate the concept of embedding risks in an organisation’s culture and values. 3
D3 Risk avoidance, retention and modelling  
(b) Explain and evaluate the different attitudes to risk and how these can affect strategy. 3
(c) Explain and assess the necessity of incurring risk as part of competitively managing a business organisation. 3
(d) Explain and assess attitudes towards risk and the ways in which risk varies in relation to the size, structure and development of an organisation. 3

Exam guide

The chapter contents could be examined in overview or you may be asked more specific questions about various aspects, such as the responsibilities of senior management.

1 Risk and the organisation

Management responses to risk are not automatic, but will be determined by their own attitudes to risk, which in turn may be influenced by cultural factors.


                                 1.1 Risk appetite and attitudes                                           6/14

Remember we mentioned briefly in Chapter 4 that businesses have to take risks in order to develop. Therefore risk-averse businesses are not businesses that are seeking to avoid risks. They are businesses that are seeking to obtain sufficient returns for the risks they take.

Key terms    Risk appetite describes the nature and strength of risks that an organisation is prepared to bear.

Risk attitude is the directors’ views on the level of risk that they consider desirable.  

Risk capacity describes the nature and strength of risks that an organisation is able to bear.  

Different businesses will have different attitudes towards taking risk.

Risk-averse businesses may be willing to tolerate risks up to a point provided they receive acceptable return or, if risk is ‘two-way’ or symmetrical, that it has both positive and negative outcomes. Some risks may be an unavoidable consequence of operating in their business sector. However, there will be upper limits to the risks they are prepared to take whatever the level of returns they can earn.

Risk-seeking businesses are likely to focus on maximising returns and may not be worried about the level of risks that have to be taken to maximise returns (indeed their managers may thrive on taking risks).

The range of attitudes to risk can be illustrated as a continuum. The two ends are two possible extremes, whereas real-life organisations are located between the two. At the left-hand extreme are organisations that never accept any risk and whose strategies are designed to ensure that all risks are avoided. On the right-hand side are organisations that actively accept risks and are risk seeking.

Risk averse                                                                               Risk seeking

More likely to refuse and                                   More likely to

avoid risk                                                   accept risk

Whatever the viewpoint, a business should be concerned with reducing risk where possible and necessary but not eliminating all risks, while managers try to maximise the returns that are possible given the levels of risk. Most risks must be managed to some extent, and some should be eliminated as being outside the business. Risk management under this view is an integral part of strategy, and involves analysing what the key value drivers are in the organisation’s activities, and the risks tied up with those value drivers.

For example, a business in a high-tech industry, such as computing, which evolves rapidly within everchanging markets and technologies, has to accept high risk in its research and development activities, but should it also be speculating on interest and exchange rates within its treasury activities?

Another issue is that organisations that seek to avoid risks (for example public sector companies and charities) do not need the elaborate and costly control systems that a risk-seeking company may have. However, businesses such as those that trade in derivatives, volatile share funds or venture capital companies need complex systems in place to monitor and manage risk. The management of risk needs to be a strategic core competence of the business.



Since risk and return are linked, one consequence of focusing on achieving or maintaining high profit levels may mean that the organisation bears a large amount of risk. The decision to bear these risk levels may not be conscious, and may go well beyond what is considered desirable by shareholders and other stakeholders.

This is illustrated by the experience of the National Bank of Australia, which announced it had lost hundreds of millions of pounds on foreign exchange trading, resulting in share price instability and the resignation of both the Chairman and Chief Executive. In the end the ultimate loss of A$360 million was 110 times its official foreign exchange trading cap of A$3.25 million.

The bank had become increasingly reliant on speculation and high-risk investment activity to maintain profitability. Traders had breached trading limits on 800 occasions and at one stage had unhedged foreign exchange exposures of more than A$2 billion. These breaches were reported internally, as were unusual patterns in trading (very large daily gains) but senior managers took no action. For three years, the currency options team had been the most profitable team in Australia, and had been rewarded by bonuses greater than their annual salaries. Eventually, however, the team came unstuck, and entered false transactions to hide their losses.

The market, however, was unimpressed by the efforts of the bank to make members of the team scapegoats, and market pressure forced changes at the top of the organisation, a general restructuring and a more prudent attitude to risk. Observers, however, questioned whether this change in attitude would survive the economic pressure that the bank was under in the long term. 


1.2 Factors influencing risk appetite

Because risk management is bound up with strategy, how organisations deal with risk will not only be determined by events and the information available about events but also by management perceptions of those risks and, as mentioned above, management’s appetite to take risks. These factors will also influence risk culture, the values and practices that influence how an organisation deals with risk in its day-to-day operations.

What therefore influences the risk appetite of managers?

1.3 Personal views

Surveys suggest that managers acknowledge the emotional satisfaction from successful risk taking, although this is unlikely to be the most important influence on appetite. Individuals vary in their attitudes to risk and this is likely to be transferred to their roles in organisations.



Consider a company such as Virgin. It has many stable and successful brands, and healthy cash flows and profits. There’s little need, you would have thought, to consider risky new ventures.

Yet Virgin has a subsidiary called Virgin Galactic to own and operate privately-built spaceships, and to offer ‘affordable’ sub-orbital space tourism to everybody – or everybody willing to pay for the pleasure. The risks are enormous. Developing the project will involve investing very large amounts of money, there is no guarantee that the service is wanted by sufficient numbers of people to make it viable, and the risks of catastrophic accidents are self-evident. In fact a test flight in October 2014 ended in disaster when the rocket broke apart in mid air. The test pilot was killed and the co-pilot was seriously injured.

There is little doubt that Virgin’s risk appetite derives directly from the risk appetite of its chief executive, Richard Branson – a self-confessed adrenaline junkie – who also happens to own most parts of the Virgin Group privately, and so faces little pressure from shareholders.


1.4 Response to shareholder demand

Shareholders demand a level of return that is consistent with taking a certain level of risk. Managers will respond to these expectations by viewing risk taking as a key part of decision-making.



To some extent it must be true that risk appetite is allied to need. If Company A is cash rich in a stable industry with few competitors and satisfied shareholders it has little need to take on any more risky activities. If, a few years later, a significant number of competitors have entered the market and Company A’s profits start to be eroded then it will need to do something to stop the rot, and it will face demands for change from investors.

Failing to take fresh strategic opportunities may be the most significant risk the business faces.

Woolworths in the UK did not fail simply because of the impact of the credit crunch. It had already become irrelevant to its customers – people were no longer sure why they should go to Woolworths. The credit crunch simply speeded up the inevitable result of catastrophic strategic wearout. Woolworths had continued to offer the same products to the same customers despite the changing customer and competitor landscape.


1.5 Organisational influences

Organisational influences may be important, and these are not necessarily just a response to shareholder concerns. Organisational attitudes may be influenced by significant losses in the past, changes in regulation and best practice, or even changing views of the benefits that risk management can bring.

Attitudes to risk will also depend on the size, structure and stage of development of the organisation.

  • Size of organisation

A larger organisation is likely to require more formal systems and will have to take account of varying risk appetites and incidence among its operations. However, a large organisation will also be able to justify employing risk specialists, either generally or in specific areas of high risk, such as treasury. It is also more likely to be able to diversify its activities so that it is not dependent on a few products.

  • Structure

The risk management systems employed will be dependent on the organisation’s management control systems that will in turn depend on the formality of structure, the autonomy given to local operations and the degree of centralisation deemed desirable.

  • Attitudes to risk

Attitudes to risk will change as the organisation develops and its risk profile changes. For example, attitudes to financial risk and gearing will change as different sources of finance become necessary to fund larger developments.

Unsurprisingly there are particularly onerous responsibilities on trustees of charities. The UK’s Good Governance: A Code for the Voluntary and Community Sector stresses that trustees must exercise special care when investing the organisation’s funds, or borrowing funds for it to use, and must comply with the organisation’s governing document and any other legal requirements.

1.6 National influences

There is some evidence that national culture influences attitudes towards risk and uncertainty. Surveys suggest that attitudes to risk vary nationally according to how much people are shielded from the consequences of adverse events.



Risk taking: is it behavioural, genetic, or learned?

Behaviour of individuals

Risky business has never been more popular. Mountain climbing is among the fastest-growing sports. Extreme skiing – in which skiers descend cliff-like runs by dropping from ledge to snow-covered ledge – is drawing ever-wider interest. The adventurer-travel business, which often mixes activities like climbing or river rafting with wildlife safaris, has grown into a multimillion-dollar industry.

Under conventional personality theories, normal individuals do everything possible to avoid tension and risk, and in the not too distant past, students of human behaviour might have explained such activities as an abnormality, a kind of death wish. But in fact researchers are discovering that the psychology of risk involves far more than a simple ‘death wish’. Studies now indicate that the inclination to take high risks may be hard-wired into the brain, intimately linked to arousal and pleasure mechanisms, and may offer such a thrill that it functions like an addiction. The tendency probably affects one in five people, mostly young males, and declines with age.

It may ensure our survival, even spur our evolution as individuals and as a species. Risk taking probably bestowed a crucial evolutionary advantage, inciting the fighting and foraging of the hunter-gatherer.

In mapping out the mechanisms of risk, psychologists hope to do more than explain why people climb mountains. Risk taking, which one researcher defines as ‘engaging in any activity with an uncertain outcome’, arises in nearly all walks of life.

Asking someone on a date, accepting a challenging work assignment, raising a sensitive issue with a spouse or a friend, confronting an abusive boss – these all involve uncertain outcomes, and present some level of risk.

High risk takers

Researchers don’t yet know precisely how a risk-taking impulse arises from within or what role is played by environmental factors, from upbringing to the culture at large. And, while some level of risk taking is clearly necessary for survival (try crossing a busy street without it!), scientists are divided as to whether, in a modern society, a ‘high-risk gene’ is still advantageous.

Some scientists see a willingness to take big risks as essential for success, but research has also revealed the darker side of risk taking. High-risk takers are easily bored and may suffer low job satisfaction. Their craving for stimulation can make them more likely to abuse drugs, gamble, commit crimes and be promiscuous.

Indeed, this peculiar form of dissatisfaction could help explain the explosion of high-risk sports in postindustrial Western nations. In unstable cultures, such as those at war or suffering poverty, people rarely seek out additional thrills. But in rich and safety-obsessed countries, full of guardrails and seat belts, and with personal-injury claims companies swamping TV advertising, everyday life may have become too safe, predictable and boring for those programmed for risk taking.

Until recently, researchers were baffled. Psychoanalytic theory and learning theory relied heavily on the notion of stimulus reduction, which saw all human motivation geared towards eliminating tension. Behaviours that created tension, such as risk taking, were deemed dysfunctional, masking anxieties or feelings of inadequacy.

Yet as far back as the 1950s, research was hinting at alternative explanations. British psychologist Hans J Eysenck developed a scale to measure the personality trait of extroversion, now one of the most consistent predictors of risk taking. Other studies revealed that, contrary to Freud, the brain not only craved arousal but also somehow regulated that arousal at an optimal level. Researchers have extended these early findings into a host of theories about risk taking.

Some scientists concentrate on risk taking primarily as a cognitive or behavioural phenomenon, an element of a larger personality dimension which measures individuals’ sense of control over their environment and their willingness to seek out challenges.

A second line of research focuses on risk’s biological roots. Due to relatively low levels of certain enzymes and neurotransmitters the cortical system of a risk taker can handle higher levels of stimulation without overloading and switching to the fight or flight response. Their brains automatically dampen the level of incoming stimuli, leaving them with a kind of excitement deficit. The brains of people who don’t like taking risks, by contrast, tend to augment incoming stimuli, and thus desire less excitement.

Even then, enzymes are only part of the risk-taking picture. Upbringing, personal experience, socioeconomic status and learning are all crucial in determining how that risk-taking impulse is ultimately expressed. For many climbers their interest in climbing was often shaped externally, either through contact with older climbers or by reading about great expeditions. On entering the sport, novices are often immersed in a tight-knit climbing subculture, with its own lingo, rules of conduct and standards of excellence.

This learned aspect may be the most important element in the formation of the risk-taking personality.

This is much abridged and somewhat adapted from an article in Psychology Today.

Behaviour of organisations

To what extent can these ideas be applied to organisations? The case study indicates that the tendency to take risks or not depends on cognitive psychological factors (willingness to take on challenges) and genetic factors (the relative absence of certain chemicals in the brain that suppress the fear that most people feel when confronted with risk). None of this makes much sense when talking about an abstract non-living thing like a company, which exists only on paper and in the eyes of the law.

However, the case study also indicates that upbringing, personal experience, socioeconomic status and learning play a part and that risk takers tend to be immersed in a subculture with its own language, rules of conduct and standards of excellence.

Equally, organisations have a history and have unique experiences, and are wealthy or struggling. They set rules of conduct and standards of excellence. Their people possess knowledge and talk in organisational jargon. This is commonly called the organisation’s culture.


Exam focus        In December 2008 Question 1 the differing approaches to a business decision could be distinguished by point                the risks involved. If you are asked to analyse any business decision, you need to think carefully about the risk implications.

2 Impact of risk on stakeholders

FAST FORWARD            Organisations’ attitudes to risks will be influenced by the priorities of their stakeholders and how much influence stakeholders have. Stakeholders that have significant influence may try to prevent an organisation bearing certain risks.

2.1 Stakeholders’ attitudes to risk

Businesses have to be aware of stakeholder responses to risk – the risk that organisations will take actions or events will occur that will generate a response from stakeholders that has an adverse effect on the business.

To assess the importance of stakeholder responses to risk, the organisation needs to determine how much leverage its stakeholders have over it. As we have seen, Mendelow provides a mechanism for classifying stakeholders.

2.2 Shareholders

They can affect the market price of shares by selling them or they have the power to remove management. It would appear that the key issue for management to determine is whether shareholders:

  • Prefer a steady income from dividends (in which case they will be alert to threats to the profits that generate the dividend income, such as investment in projects that are unlikely to yield profits in the short term)
  • Are more concerned with long-term capital gains, in which case they may be less concerned about a short period of poor performance, and more worried about threats to long-term survival that could diminish or wipe out their investment
2.2.1 Risk tolerances of shareholders

However, the position is complicated by the different risk tolerances of shareholders themselves. Some shareholders will, for the chances of higher level of income, be prepared to bear greater risks that their investments will not achieve that level of income. Therefore some argue that because the shares of listed companies can be freely bought and sold on stock exchanges, if a company’s risk profile changes, its existing shareholders will sell their shares, but the shares will be bought by new investors who prefer the company’s new risk profile. The theory runs that it should not matter to the company who its investors are. However, this makes the assumption that the investments of all shareholders are actively managed and that shareholders seek to reduce their own risks by diversification. This is not necessarily true in practice.

In addition, we have seen that the corporate governance reports have stressed the importance of maintaining links with individual shareholders. It is therefore unlikely that the directors will be indifferent to who the company’s shareholders are.

Shareholders’ risk tolerance may depend on their views of the organisation’s risk management systems, how effective they are and how effective they should be. Shareholder sensitivity to this will increase the pressures on management to ensure that a risk culture is embedded within the organisation (covered later in this chapter).

2.3 Debt providers and creditors

Debt providers are most concerned about threats to the amount the organisation owes and can take various actions with potentially serious consequences, such as denial of credit, higher interest charges or ultimately putting the company into liquidation.

When an organisation is seeking credit or loan finance, it will obviously consider what action creditors will take if it does default. However, it also needs to consider the ways in which debt finance providers can limit the risks of default by for example requiring companies to meet certain financial criteria or provide security in the form of assets that can’t be sold without the creditors’ agreement or personal guarantees from directors.

These mechanisms may have a significant impact on the development of an organisation’s strategy. There may be a conflict between strategies that are suitable from the viewpoint of the business’s long-term strategic objectives, but are unacceptable to existing providers of finance because of threats to cash flows, or are not feasible because finance suppliers will not make finance available for them, or will do so on terms that are unduly restrictive.

2.4 Employees

Employees will be concerned about threats to their job prospects (money, promotion, benefits and satisfaction) and ultimately threats to the jobs themselves. If the business fails, the impact on employees will be great. However, if the business performs poorly, the impact on employees may not be so great if their jobs are not threatened.

Employees will also be concerned about threats to their personal wellbeing, particularly health and safety issues.

The variety of actions employees can take would appear to indicate the risk is significant. Possible actions include pursuit of their own goals rather than shareholder interests, industrial action, refusal to relocate or resignation.

Risks of adverse reactions from employees will have to be managed in a variety of ways.

  • Risk avoidance – legislation requires that some risks, principally threats to the person, should be avoided
  • Risk reduction – limiting employee discontent by good pay, conditions, etc
  • Risk transfer – for example taking out insurance against key employees leaving
  • Risk acceptance – accepting that some employees will be unhappy but believing the company will

not suffer a significant loss if they leave

2.5 Customers and suppliers

Suppliers can provide (possibly unwillingly) short-term finance. As well as being concerned with the possibility of not being paid, suppliers will be concerned about the risk of making unprofitable sales. Customers will be concerned with threats to their getting the goods or services that they have been promised, or not getting the value from the goods or services that they expect.

The impact of customer-supplier attitudes will partly depend on how much the organisation wants to build long-term relationships with them. A desire to build relationships implies involvement of the staff that are responsible for building those relationships in the risk management process. It may also imply a greater degree of disclosure about risks that may arise to the long-term partners in order to maintain the relationship of trust.

2.6 The wider community

Governments, regulatory and other bodies will be particularly concerned with risks that the organisation does not act as a good corporate citizen, implementing for example poor employment or environmental policies. A number of the variety of actions that can be taken could have serious consequences. Government can impose tax increases or regulation or take legal action. Pressure groups tactics can include publicity, direct action, sabotage or pressure on government.

Although the consequences can be serious, the risks that the wider community are concerned about can be rather less easy to predict than for other stakeholders being governed by varying political pressures. This emphasises the need for careful monitoring as part of the risk management process, of changing attitudes and likely responses to the organisation’s actions.

3 Internal environment


The internal or control environment is influenced by management’s attitude towards control, the organisational structure and the values and abilities of employees.

3.1 Nature of internal environment 12/14

Key terms         The internal or control environment is the overall attitude, awareness and actions of directors and

management regarding internal controls and their importance in the entity. The internal environment encompasses the management style, and corporate culture and values shared by all employees. It provides the background against which the various other controls are operated.

COSO’s guidance stresses that a strong commitment at the top of the organisation to sound control compliance, integrity and ethical values is essential for a sound control framework to exist. It may be easier in smaller companies for senior managers to reinforce the companies’ values and oversee staff, as they are more likely be in close day-to-day contact with staff.

One aspect of a poor control environment would be managers viewing control as an administrative burden, bolted on to existing systems. Instead there needs to be recognition of the business need for, and the benefit from, internal control that is effectively integrated with core processes.

The following factors are reflected in the internal environment.

  • The philosophy and operating style of the directors and management
  • The entity’s culture; whether control is seen as an integral part of the organisational framework, or something that is imposed on the rest of the system
  • The entity’s organisational structure and methods of assigning authority and responsibility

(including segregation of duties and supervisory controls)

  • The directors’ methods of imposing control, including the internal audit function, the functions of the board of directors and personnel policies and procedures
  • The integrity, ethical values and competence of directors and staff

The UK Turnbull report highlighted a number of elements of a strong internal environment.

  • Clear strategies for dealing with the significant risks that have been identified
  • The company’s culture, code of conduct, processes and structures, human resource policies and performance reward systems supporting the business objectives and risk management and internal control systems
  • Senior management demonstrating through its actions and policies commitment to competence, integrity and fostering a climate of trust within the company
  • Clear definition of authority, responsibility and accountability so that decisions are made and actions are taken by the appropriate people
  • Communication to employees of what is expected of them and the scope of their freedom to act
  • People in the company having the knowledge, skills and tools to support the achievements of the organisation’s objectives and to manage its risks effectively

However, a strong internal environment does not, by itself, ensure the effectiveness of the overall internal control system although it will have a major influence on it.

The internal environment will have a major impact on the establishment of business objectives, the structuring of business activities and dealing with risks.

3.2 Internal environment and financial reporting

Effective control systems and an effective control environment can make a big contribution to the quality of financial reporting. COSO’s guidance on internal controls over financial reporting sees organisational and personnel issues as having a big impact on the quality of financial reporting. Systems should identify which people or departments are responsible for producing specific information. The lines of reporting for each function and business unit should enable effective reporting. Managers also need to consider carefully whether the levels of authority and responsibility staff are given are appropriate. Individuals need to be able to get their jobs done but there is also a need for proper checks. The organisation must also assess the knowledge and skills required that staff involved in financial reporting must have. Staff need to have the necessary competencies for the work they are doing, and across the organisation there should be sufficient expertise.



Throughout this section of the text we shall use the example of Mazda, the Japanese car manufacturer, to illustrate how a major international company applies the elements identified in the COSO framework.

Mazda’s annual report states that the company does not view compliance as just strictly following legal requirements and regulations. It regards compliance as including conformance with internal rules, the Corporate Ethics code of conduct and social expectations and norms. Mazda aims to instil in employees an understanding of why obedience is required, and the ability to form and carry out faithfully their own standards of behaviour.

4 Embedding risk awareness  12/09, 6/14


Risk awareness should be embedded within an organisation’s processes, environment, culture, structure and systems. Organisations should issue a risk policy statement and maintain a risk register.

4.1 The risk environment

How the control environment accommodates risk issues will be decisive in determining whether it is effective. COSO’s guidance on the internal environment states that an organisation needs to:

  • Establish a philosophy regarding risk management
  • Recognise that unexpected events may occur
  • Establish the entity’s risk culture
  • Consider all other aspects of how the organisation’s actions may affect its risk culture
4.2 Embedding risk awareness and assessment

The Ernst & Young report Managing Risk Across the Enterprise emphasises that risk assessment should evolve into a consistent, embedded activity within a company’s strategic, business, budget and audit planning process rather than be executed as a significant standalone process. Risk awareness should be taken for granted at all levels of the organisation, and should be the foundation of all control systems. Ernst & Young identifies a number of elements of a consistent, embedded approach.

4.2.1 Focus on risk to stakeholder/shareholder value

The Ernst & Young report states that an embedded approach needs to focus not on risks to processes but on risks to shareholder value.

‘Identifying these risks and ensuring that they are properly managed … and appropriately monitored.’

Share value is driven by looking at risks in two key areas, future growth opportunities and core business operations.

  • Future growth opportunities

These are strategies and objectives that the organisation pursues to increase competitive advantage and shareholder value over time. Ernst & Young argues that risks to realising these opportunities are often overlooked. However, the solution is simple. Since future growth opportunities and supporting actions are described in external reports and internal planning documents, all that is required is to identify the most significant risks preventing achievement of these objectives.

  • Core business operations

These comprise the assets and processes in the company that generate or support the largest proportion of profit or revenues. Organisations should identify the key risks inherent in these processes. They should also identify processes that are significantly risky and place a substantial portion of capital at risk, but may not generate significant revenues or profits (for example financial derivative trading).

Consistent action-orientated risk assessment criteria

Ernst & Young suggests that the criteria used should direct and drive monitoring and improvement actions as well as focus and accountability. For this to happen, the report emphasises that as well as considering impact and likelihood, organisations should focus on management response to risk. This will drive the potential improvement or assurance actions.

4.2.3 Common reporting elements and style

Reporting of risks should be consistent across processes and functions, fully support board needs, be concise and be updated routinely.

                                  4.3 Risk culture                                                                      12/07
Culture is ‘the pattern of basic assumptions that a given group has invented, discovered, or developed, in learning to cope with its problems of external adaptation and internal integration, and that have worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to

perceive, think and feel in relation to these problems.’                                                                  (Schien)

Key term

Culture can determine whether new influences and procedures can change things.


Case Study


Learning a culture

Suppose you get a new job that involves operating a machine of some kind. Your induction training taught you that you are expected to spend 15 minutes at the beginning of every production session (morning and afternoon) carrying out routine maintenance on the machine you operate: checking the oil levels, looking out for wear and tear, making sure all the parts are in alignment and properly sharp, and so on.

Of course you will diligently do all this on your first few days, but let’s suppose you quickly become aware that the other machine operators around you start productive work long before you do, and are laughing at you for being so cautious.

By Wednesday lunchtime you have received a visit from your manager who wants to know why your daily output is so much lower than that of the other members of the team. You are also concerned about this because along with your basic pay you are paid a small bonus for every job that you finish, and your colleagues seem to produce far more per day than you do.

You explain that you are just doing what you were taught to do in induction but the manager takes you aside and explains that the more experienced operators ‘know’ when their machines need oiling or adjusting and so on, just from the sound they make and how much they vibrate, and you will soon get to know too. The manager admits that if machines are not properly maintained there is a risk that they will be seriously damaged and production will be lost. But the manager also says that if your machine goes wrong you won’t actually be seriously affected anyway. You will get the rest of the day off, on whatever is your average day’s pay, while it is being fixed. So, ‘between you and your manager’, it is actually in your interest to produce as much as you possibly can, and ignore your supposed maintenance responsibilities.

The manager then mentions that a more senior manager has asked the department to fulfil an unusually large order that week, and your lack of productivity may mean that the more senior manager is let down.

By Wednesday afternoon at the latest, you will probably have concluded that your supposed routine maintenance responsibilities are not actually necessary at all and will get on with productive work immediately. Perhaps you will be looking around to see if, when, and why your colleagues get the oil can out, if they ever do, but you will care a lot less about your machine going wrong.




Question   Organisational problems
What organisational problems are revealed by the case study above?  


The culture of the machine operations section works against the implementation of procedures that are taught to newcomers. The priority is spending the maximum amount of time doing productive work. The procedures learned during induction are regarded as an impediment to productivity.

However, this does not mean the staff in the machines operations section are necessarily wrong. The procedures laid down are probably inappropriate. The people who actually do the job understand the risks far better than the people who devised the induction training and the people who wrote the procedures manual.

The motivation and rewards system is badly designed. For experienced machine operators the risk is that they will lose a small amount of bonus, but even if they do they get a day off.

For the company the risk is lost production and extra expense on repairing machines that have not been as well maintained as they should have been.

‘You’ (the new employee) are a problem, though this is harsh. Strictly you should have reported the fact that you were being pressured into doing something that was in breach of official procedures, but this is very hard. Most people tend to try to fit in, at least at first. In any case, who would you report it to?

You may have had additional ideas.


4.4 Types of risk culture

Different writers have identified different types of culture, based on particular aspects of organisation and management.



In his evidence to the UK House of Commons Treasury select committee, Paul Moore, former head of Group Regulatory Risk at HBOS, stated:

‘There is no doubt that you can have the best governance processes in the world but if they are carried out in a culture of greed, unethical behaviour and indisposition to challenge they will fail.’


4.4.1 Miles and Snow: strategic cultures

Miles and Snow identify three ‘superior performing’ cultures.

  • Defenders. Firms with this culture like low risk, secure markets, and tried and trusted solutions. These companies have cultures whose stories and rituals reflect historical continuity and consensus. Decision taking is relatively formalised. (There is a stress on ‘doing things right’; that is, efficiency.)
  • Prospectors. These are organisations where the dominant beliefs are more to do with results (doing the right things; that is, effectiveness), and therefore prospectors often take high risks.
  • Analysers. These try to balance risk and profits. They use a core of stable products and markets as a source of earnings to move into innovative prospector areas. Analysers follow change, but do not initiate it.

4.4.2 Deal and Kennedy: risk, feedback and reward

Deal and Kennedy (Corporate Cultures) consider cultures to be a function of the level of risks that employees need to take, and how quickly they get feedback on whether they got it right or wrong and/or rewards for doing so.


Low risk cultures

  • Process culture

The process culture occurs in organisations where there is low risk and little or no feedback. People become bogged down with how things are done, not with what is to be achieved. These cultures however often produce consistent results, which is ideal in, for example, public services, banking and insurance.

  • Work hard, play hard culture

This culture is characterised by few risks being taken, all with rapid feedback. This is typical in large organisations, such as retailers which strive for high quality customer service.  (b)               High risk cultures

  • Bet your company culture

In the bet your company culture high risk decisions are taken, but it may be years before the results are known. Typically, these might involve development or exploration projects, which take years to come to fruition, such as oil exploration or development of drugs.

  • Tough-guy macho culture

Feedback is quick and the risks and rewards are high. This often applies to fast-moving financial activities, such as brokerage, but could also apply to the police, athletes competing in team sports, advertising and certain types of construction.

                                  4.5 Changing the culture                                        12/07,12/09

4.5.1 Importance of control environment

The strength of the control environment will have a very significant impact on how easy or difficult it is to change the control culture. The commitment of top management will be a very significant factor.

4.5.2 Risk awareness and communication

In the first place people cannot be expected to avoid risks if they are not aware that they exist in the first place. Embedding a risk management frame of mind into an organisation’s culture requires top-down communications on what the risk philosophy is and what is expected of the organisation’s people.

Here is an example of an internal communications programme slightly adapted from an example in the COSO Framework.



Internal communications programme

  • Management discusses risks and associated risk responses in regular briefings with employees.
  • Management regularly communicates entity-wide risks in employee communications such as newsletters and an intranet.
  • Enterprise risk management policies, standards and procedures are made readily available to employees along with clear statements requiring compliance.
  • Management requires employees to consult with others across the organisation as appropriate when new events are identified.
  • Induction sessions for new employees include information and literature on the company’s risk management philosophy and enterprise risk management programme.
  • Existing employees are required to take workshops and/or refresher courses on the organisation’s enterprise risk management initiatives.
  • The risk management philosophy is reinforced in regular and ongoing internal communication programmes and through specific communication programmes to reinforce tenets of the company’s culture.


The COSO framework also recommends certain organisational measures for spreading ownership of risk management.

  • Enterprise risk management should be an explicit or implicit part of everyone’s job description.
  • Personnel should understand the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines should be available to permit reporting such circumstances.

4.5.3 Training and involvement

Training is of course essential, especially for new employees and for all when new procedures are introduced. Aside from practical matters like showing employees which buttons to press or how to find out the information they need, training should include an explanation of why things are done in the way that they are. If employees are asked to carry out a new type of check but are not told why, there is every chance that they won’t bother to do it, because they don’t understand its relevance. It just seems to mean more work for them and slows up the process for everyone.

The people who are expected to own risks and risk management will be more inclined to do so if they are involved in the process of identifying risks in the first place and developing responses and controls. This enhances understanding and gives them a stake in risk management. 4.5.4 Performance appraisal and measurement

To influence and alter attitudes, risk issues have to be built into organisations’ human resource systems. Staff’s job descriptions should make clear the extent of their responsibilities for risk management. Their annual performance objectives should include objectives relating to risk, and risk management needs to be considered as part of the performance appraisal and reward systems. As we shall see later in the text, this does not necessarily mean avoiding risks, as this may be overcautious and prevent the organisation from taking advantage of good opportunities.

4.5.5 Changing risk attitudes

The biggest problems are likely to arise when a risk culture already exists but has become inappropriate and needs to be changed. Some people embrace change and thrive on it, but many resist it. There may be a variety of reasons.

  • Change involves the extra effort of ‘unlearning’ old knowledge and the learning of new knowledge.
  • Self-interest may be a factor. A new procedure may entail the involvement of another person or department and be seen as an erosion of power.
  • People may misunderstand the nature of the change.
  • Staff may simply mistrust
  • Employees may not agree that the change is needed.

Coercion and autocratic methods may be necessary on occasions, especially when time is limited, but in the longer term resistance must be overcome if people are ever to accept ownership of risk management. As usual, communication and dialogue are key to this. Here are some other possible methods.

  • Job satisfaction

Those driving the change must identify what constitutes job satisfaction for the relevant group in the organisation.

  • Learning experiences

A change is more likely to be accepted if people have the opportunity to experience first hand what it means for them in a ‘safe’ environment that allows them to make mistakes and to experiment and ask questions to resolve personal concerns. It is often useful to involve people from other parts of the organisation who have already made the transition and can help ease the fears of those who have yet to experience it.

  • Key personnel

Some individuals are more important than others; for example, individuals with significant power to disrupt, individuals with important technical expertise, or individuals whose influence over other people is significant. These people need to be persuaded to buy in to the change as a first priority.

  • Infrastructure

Change – especially sudden change – is often hampered because staff do not have adequate tools. For example, it may be more difficult to obtain the information needed, or staff may have to override old software controls while programs are being rewritten. These are problems that need to be addressed as soon as possible.

Question 2 in December 2007 asked about embedding risk in the culture of an organisation.

Exam focus point



Writing in Risk Management magazine, Gayle Tollifson, chief risk officer at QBE Insurance Company in Australia, emphasises the importance of culture. She comments that in a number of corporate collapses, the tone or culture that boards set for their companies was flawed or ignored. In many instances boards were not aware of problems until too late.

Tollifson emphasises the board’s responsibility to ensure that the right culture exists at all levels of an organisation. At the board level selecting a chief executive who embraces the company’s cultural values is vital, and board-approved policies and standards must lead the way in risk management practice.

Communication is also important. This includes a risk management policy, ensuring the right mechanisms are in place for disclosing issues and that there is a culture of disclosure. This must mean sending a message to staff that the sooner bad news is identified and reported, the sooner the problem can be solved.

As well as embedding risk into the culture, Tollifson explains that companies need to ensure that risk management is an essential part of business operations, considered as part of doing business every day. Risk appetite needs to be considered when overall strategy and policy are set. Risk analysis must form a key part of the business planning framework.

Tollifson also stresses that while a risk management team can make a significant contribution to improving risk management, the board must set the culture entrenching risk awareness, disclosure and transparency. The business managers who create risks must also take responsibility for managing them.


4.6 Risk policy statement

Organisations ought to have a statement of risk policy and strategy that is distributed to all managers and staff and that covers the following areas.

  • Definitions of risk and risk management
  • Objectives of risk policy
  • Regulatory requirements
  • Benefits of risk management
  • How risk management is linked into strategic decision-making and performance
  • What areas of risk management (risk avoidance, risk reduction) are particularly important  Risk classification
  • Roles of board, managers, staff and audit and risk committees
  • Internal control framework and important controls
  • Other tools and techniques
  • Assurance reporting
  • Role of training
  • How to obtain help
4.7 Risk register

Organisations should have formal methods of collecting information on risk and response. A risk register lists and prioritises the main risks an organisation faces, and is used as the basis for decision-making on how to deal with risks. The register also details who is responsible for dealing with risks and the actions taken. The register should show the risk levels before and after control action is taken, to facilitate a costbenefit analysis of controls. 



The Ernst & Young report Managing Risk Across the Enterprise recommends a simpler key risk summary report, ideally fitting on a single page and covering:

  • Risk type (financial, operations, compliance and strategic)
  • Risk description
  • Overall ratings (impact, likelihood, control effectiveness)
  • Key risk management activities
  • Monitoring approach and results
  • Gaps, issues and actions
  • Risk owner/Accountable party
  • Processes, initiatives and objectives affected


Question 4 in December 2009 illustrated how effective implementation of risk management could be undermined by various aspects of a company’s culture.

Exam focus point

                                  5 Risk management responsibilities         6/15

FAST FORWARD            The board has overall responsibility for risk management as an essential part of its corporate governance responsibilities. Responsibilities below board level will depend on the extent of delegation to line managers and whether there is a separate risk management function.

5.1 Responsibilities for risk management

Everyone who works for the organisation has responsibilities for risk management. In this section we shall discuss the responsibilities that directors, operational managers and staff have for managing the risks as part of their duties. The organisation may also employ risk management specialists, who will focus on promoting risk management across the organisation. In larger organisations there will be a separate risk management department. The role of risk specialists is considered in Section 5.2.

5.1.1 The board

As we have seen, the board’s role in managing risk is one of its most important. The board is responsible for determining risk management strategy and monitoring risks as part of its responsibility for the organisation’s overall strategy and its responsibilities to shareholders and other stakeholders. It is also responsible for setting appropriate policies on internal controls and seeking assurance that the internal control system is functioning effectively. It should also communicate the organisation’s strategy to employees.

In 2006 COSO demonstrated how elements of its framework could be applied to financial reporting in its report Internal Control Over Financial Reporting – Guidance for Smaller Public Companies. The underlying theme of the guidance was that companies should ensure that their control framework was appropriately focused on financial reporting considerations. The recommendations in each area included:

  • Control environment – the board of directors should have understanding of financial reporting issues. The company should employ individuals with sufficient competence in financial reporting and oversight roles.
  • Risk assessment – this should be carried out by management, who should specify the objectives of financial reporting and, following on from these, the risks to reliable financial reporting. Fraud risk should be a major concern.
  • Control activities – appropriate actions should be taken to address risks, including establishing and communicating financial reporting policies and information technology controls.
  • Information and communication – information should be captured and distributed in an appropriate form and in good time.
  • Monitoring – the board should evaluate separately whether internal controls over financial reporting are present and functioning.
5.1.2 The chief executive

Ownership of the risk management and internal control system is a vital part of the chief executive’s overall responsibility for the company. The chief executive must consider in particular the risk and control environment, focusing among other things on how their example promotes a good culture. The chief executive should also monitor other directors and senior staff, particularly those whose actions can put the company at significant risk.

                                  5.1.3 Risk committee                                                                   12/08

Boards also need to consider whether there should be a separate board committee, with responsibility for monitoring and supervising risk identification and management. If the board doesn’t have a separate committee, under the UK Corporate Governance Code the audit committee will be responsible for risk management.

As we have seen, consideration of risk certainly falls within the remit of the audit committee. However, there are a number of arguments in favour of having a separate risk management committee.

  • Staffing
    • risk management committee can be staffed by executive directors, whereas an audit committee under corporate governance best practice should be staffed by non-executive directors. However, if there are doubts about the competence and good faith of executive management, it will be more appropriate for the committee to be staffed by non-executive directors.
  • Breadth of remit

As a key role of the audit committee will be to liaise with the external auditors, much of their time could be focused on financial risks.

  • Leadership
    • risk management committee can take the lead in promoting awareness and driving changes in practice, whereas an audit committee will have a purely monitoring role, checking that a satisfactory risk management policy exists.
  • Investigations
    • risk management committee can carry out special investigations, particularly in areas not related to the accounting systems (the audit committee is more likely to investigate the accounting systems, as discussed in Chapter 8).

Companies that are involved in significant financial market risk will often have a risk management committee. The potential for large losses through misuse of derivatives was demonstrated by the Barings bank scandal. A risk management committee can help provide the supervision required. Clearly, though, to be effective, the members will collectively need a high level of financial expertise.

5.1.4 Role and function of risk committee

Evidence of companies that have operated a risk management committee suggests that such a committee will be far more effective if it has clear terms of reference. Morris in An Accountant’s Guide to Risk Management suggests that written terms of reference might include the following.

  • Approving the organisation’s risk management strategy and risk management policy
  • Reviewing reports on key risks prepared by business operating units, management and the board
  • Monitoring overall exposure to risk and ensuring it remains within limits set by the board
  • Assessing the effectiveness of the organisation’s risk management systems
  • Providing early warning to the board on emerging risk issues and significant changes in the company’s exposure to risks
  • In conjunction with the audit committee, reviewing the company’s statement on internal control with reference to risk management, prior to endorsement by the board

Note that the focus is on supervision and monitoring rather than the committee having responsibility for day-to-day decision-making and implementation of policies.



The UK Walker report recommended that FTSE 100 bank or life assurance companies should establish a risk committee. Reasons for this recommendation included the need to avoid overburdening the audit committee, and to draw a distinction between the largely backward-looking focus of the audit committee and the need for forward-looking focus on determining risk appetite and from this monitoring appropriate limits on exposures and concentrations. The committee should have a majority of nonexecutive directors. Any executive risk committee should be overseen by the board risk committee.

Walker recommended that the committee should concentrate on the fundamental prudential risks for the institution: leverage, liquidity risk, interest rate and currency risk, credit/counterparty risks and other market risks. It should advise the board on current risk exposures and future risk strategy, and the establishment of a supportive risk culture.

The committee should regularly review and approve the measures and methodology used to assess risk. A variety of measures should be used. The risk committee should also advise the remuneration committee on risk weightings to be applied to performance objectives incorporated within the incentive structure for executive directors.

Having a separate risk management committee can aid the board in its responsibility for ensuring that adequate risk management systems are in place. The application of risk management policies will then be the responsibility of operational managers, and perhaps specialist risk management personnel, as described below.


                                 5.1.5 Internal and external audit                                                   6/15

Risk is integral to the work of internal and external audit, both in terms of influencing how much work they do (with more work being done on riskier areas) and also what work they actually do. The external auditors will be concerned with risks that impact most on the figures shown in the financial accounts. Internal auditors’ role is more flexible, and their approach will depend on whether they focus on the controls that are being operated or on the overall risk management process.

5.1.6 Line managers

The UK Turnbull report stresses the role of management in implementing broad policies on risk and control, including identifying and evaluating risk and designing and operating an appropriate system of internal control. Managers should have an awareness of the risks that fall into their areas of responsibility and possible links with other areas. The performance indicators they use should help them monitor key business and financial activities and highlight when intervention is required.  

Line managers will be involved in communicating risk management policies to staff and will of course ‘set a good example’. Line managers are also responsible for preparing reports that will be considered by the board and senior managers.

Part of the role of line managers may be to carry out detailed risk management functions. The office manager may deal with fire precautions and the managing director with buying insurances, for example, and each may call in experts to assist with these functions.

In larger organisations, a risk management group of senior operational managers may operate below the board’s risk management committee. The risk management group will concentrate on risk responses and will also monitor risk management to see that the strategies and policies are operating effectively.

5.1.7 Staff

Staff will be responsible for following the risk management procedures the organisation has established, and should be alert for any conditions or events that may result in problems. Staff need an understanding of their accountability for individual risks and that risk management and risk awareness are a key part of the organisation’s culture. They must be aware of how to report any concerns they have, particularly reports of risk, failures of existing control measures, variances in budgets and forecasts.

The UK Turnbull report emphasises the need for employees to take responsibility for risk management and internal control. This requires them to have the necessary knowledge, skills, information and authority to operate and monitor the control system. This requires understanding the company, its objectives, the industries and markets in which it operates and the risks it faces.

5.2 Risk management personnel
5.2.1 Risk specialists

Because of the variety and size of the risks faced, many organisations employ specialists in risk management or operate a separate risk management department.

                                 5.2.2 Risk manager                                                                         6/09

Lam (Enterprise Risk Management) gives a detailed description of the role of the risk manager. The COSO framework also has a list of responsibilities. Combining these sources we can say that the specialist risk manager is typically responsible for:

  • Providing the overall leadership, vision and direction for enterprise risk management
  • Establishing an integrated risk management framework for all aspects of risk across the organisation, integrating enterprise risk management with other business planning and management activities and framing authority and accountability for enterprise risk management in business units
  • Promoting an enterprise risk management competence throughout the entity, including facilitating development of technical enterprise risk management expertise, helping managers align risk responses with the entity’s risk tolerances and developing appropriate controls
  • Developing RM policies, including the quantification of management’s risk appetite through specific risk limits, defining roles and responsibilities, ensuring compliance with codes, regulations and statutes and participating in setting goals for implementation
  • Establishing a common risk management language that includes common measures around likelihood and impact, and common risk categories; developing the analytical systems and data management capabilities to support the risk management programme
  • Implementing a set of risk indicators and reports including losses and incidents, key risk exposures, and early warning indicators; facilitating managers’ development of reporting protocols, including quantitative and qualitative thresholds, and monitoring the reporting process
  • Dealing with insurance companies: an important task because of increased premium costs, restrictions in the cover available (will the risks be excluded from cover) and the need for negotiations with insurance companies if claims arise; if insurers require it, demonstrating that the organisation is taking steps actively to manage its risks; arranging financing schemes such as selfinsurance or captive insurance
  • Allocating economic capital to business activities based on risk, and optimising the company’s risk portfolio through business activities and risk transfer strategies
  • Reporting to the chief executive on progress and recommending action as needed.

Communicating the company’s risk profile to key stakeholders such as the board of directors, regulators, stock analysts, rating agencies and business partners

The risk manager will need to show leadership and persuasive skills to overcome resistance from those who believe that risk management is an attempt to stifle initiative.

The risk manager’s contribution will be judged by how much they increase the value of the organisation. The specialist knowledge a risk manager has should allow the risk manager to assess long-term risk and hazard outcomes and therefore decide what resources should be allocated to combating risk.

Clearly certain strategic risks are likely to have the biggest impact on corporate value. Therefore a risk manager’s role may include management of these strategic risks. These may include those having a fundamental effect on future operations, such as mergers and acquisitions, or risks that have the potential to cause large adverse impacts, such as currency hedging and major investments.



The role of the risk manager was highlighted in February 2009 by the evidence given to the UK House of

Commons Treasury Select Committee enquiry into the banking system by Paul Moore, the ex-head of

Group Regulatory Risk at HBOS. Moore had allegedly been sacked by Sir James Crosby, Chief Executive Officer at HBOS. As a result of Moore making his allegations, Sir James resigned as deputy chairman of London city watchdog, the Financial Services Authority.

Moore stated that in his role he ‘felt a bit like being a man in a rowing boat trying to slow down an oil tanker’. He said that he had told the board that its sales culture was out of balance with its systems and controls. The bank was growing too fast, did not accept challenges to policy, and was a serious risk to financial stability and consumer protection. The reason why Moore was ignored and others were afraid to speak up was, he alleged, that the balance of powers was weighted towards executive directors, not just in HBOS but in other banks as well.

‘I believe that, had there been highly competent risk and compliance managers in all the banks, carrying rigorous oversight, properly protected and supported by a truly independent non-executive, the external auditor and the FSA, they would have felt comfortable and protected to challenge the practices of the executive without fear for their own positions. If this had been the case, I am also confident that we would not have got into the current crisis.’

Moore was replaced by a Group Risk Director who had never previously been a risk manager. The new head had been a sales manager and was allegedly appointed by the Chief Executive Officer without other board members having much, if any, say in the appointment.

During the time that Paul Moore was head of Group Regulatory Risk, the Financial Services Authority had raised its own concerns about practices at HBOS and had kept a watching brief over the bank. In December 2004 the Authority noted that although the group ‘had made good progress in addressing the risks highlighted in February 2004, the group risk functions still needed to enhance their ability to influence the business’. In June 2006 the authority stated that while the group had improved its framework, it still had concerns: ‘The growth strategy of the group posed risks to the whole group and these risks must be managed and mitigated.’

At the end of the week in which Paul Moore’s evidence was published, Lloyds, which had taken over HBOS, issued a profit warning in relation to HBOS for 2008 for losses of over £10 billion.


5.2.3 Risk management department

Larger companies may have a bigger risk management department whose responsibilities are wider than a single risk manager. The Institute of Risk Management’s Risk Management Standard lists the main responsibilities of the risk management department.

  • Setting policy and strategy for risk management
  • Primary champion of risk management at a strategic and operational level
  • Building a risk-aware culture within the organisation including appropriate education
  • Establishing internal risk policy and structures for business units
  • Designing and reviewing processes for risk management
  • Co-ordinating the various functional activities which advise on risk management issues within an organisation
  • Developing risk response processes, including contingency and business continuity programmes
  • Preparing reports on risks for the board and stakeholders
The study guide emphasises the roles of the risk management committee and (specialist) risk management function so you may well be asked to explain what they do.

Exam focus point

5.3 Resourcing risk management

Whatever the division of responsibilities for risk management, the organisation needs to think carefully about how risk management is resourced. Sufficient resources will be required to implement and monitor risk management (including the resources required to obtain the necessary information). Management needs to consider not only the expenditure required, but also the human resources in terms of skills and experience.

6 Objective setting

The board’s objective-setting process must encompass various levels of objectives. Risk appetite and risk tolerance will have a significant impact on objectives.


6.1 Objective setting and corporate governance

Remember we mentioned in Chapter 3 that corporate governance best practice requires boards to draw up a schedule of matters that should be considered by the board itself. This should include the objectives to which the board gives particular attention.

6.2 Mission, corporate objectives and unit objectives

Objectives come in hierarchies, with the objectives lower down in the hierarchy contributing to the objectives higher up. Granger identifies three types of objectives.

  • Mission
  • Corporate objectives
  • Unit objectives
6.2.1 Mission

A mission is a general objective, visionary, often unwritten, and very open-ended, without any time limit for achievement. A commercial company in the leisure industry might have a mission of improving the quality of people’s lives by providing them with all the leisure activities they want.

6.2.2 Entity (corporate) objectives

Corporate objectives are those which are concerned with the firm as a whole. Objectives should be explicit, quantifiable and capable of being achieved. The corporate objectives outline the expectations of the firm and the strategic planning process is concerned with the means of achieving the objectives. Objectives should relate to the key factors for business success, which are typically as follows.

  • Profitability (return on investment)
  • Market share
  • Growth
  • Cash flow
  • Customer satisfaction
  • The quality of the firm’s products
  • Industrial relations
  • Added value
6.2.3 Subsidiary, business unit, division objectives

As well as stressing the importance of setting objectives at the entity level, the COSO model also emphasises the importance of establishing strategy and control at the division, business unit and subsidiary levels. They will have strategic objectives, but a lot of their important objectives will be operational objectives.

(a)      From the commercial sector:

(i)Increasing the number of customers by x% (sales department)

Reducing the number of rejects by 50% (production department)

From the public sector:

  • To provide cheap subsidised bus travel (a local authority transport department)
  • To introduce more nursery education (an objective of a borough education department)
6.3 Categories of objectives

As part of its enterprise risk management model, COSO categorises objectives into four categories.

  • Strategic –high level goals, aligned with and supporting the organisation’s mission
  • Operational –effective and efficient use of resources
  • Reporting – reliability of reporting
  • Compliance – compliance with applicable laws and regulations

COSO states that this categorisation allows entities to focus on separate aspects of risk management. The categories have some overlaps, but they address different needs and may be the direct responsibility of different managers.



Mazda’s CSR Management Strategy Committee convenes twice a year, with members of the Executive Committee in attendance. Its task is to identify CSR implementation policy and high-priority issues from medium to long-term perspectives, and to establish specific issues for each field and area of operations. CSR in Mazda is integral to the company’s operations. It includes ensuring customer satisfaction as well as developing environmentally responsible products and participating in local communities.

Mazda’s recent strategy has been based on its ‘Sustainable Zoom-Zoom’ plan, its long-term vision for technology development. The plan stresses Mazda’s desire to harmonise driving performance with safety and the environment in building vehicles that ‘look inviting to drive, are fun to drive, and make you want to drive them again.’


6.4 Environmental analysis

Environmental analysis should support the board’s objective-setting process.

The environment is a source of uncertainty. Decision-makers do not have sufficient information about environmental factors. Many things are out of their control. The overall degree of uncertainty may be assessed along two axes: simplicity/complexity and stability/dynamism. (a) Simplicity/complexity

  • The variety of influences faced by an organisation. The more open an organisation is, the greater the variety of influences. The greater the number of markets the organisation operates in, the greater the number of influences to which it is subject and the greater the exposure to certain risks, for example currency and trading risks.
  • The amount of knowledge necessary. Some environments, to be handled successfully, require knowledge. All businesses need to have knowledge of the tax system, for example, but only pharmaceuticals businesses need to know about mandatory testing procedures for new drugs.
  • The interconnectedness of environmental influences causes complexity. Importing and exporting companies are sensitive to exchange rates, which themselves are sensitive to interest rates. Interest rates then influence a company’s borrowing costs. Scenario-building and modelling are ways of dealing with complexities to develop an understanding of environmental conditions. (b) Stability/dynamism
  • An area of the environment is stable if it remains the same. Firms which can predict demand face a stable environment.
  • An unstable environment changes often. The environment of many fashion goods is unstable, for example.
6.4.1 The changing environment

Changes in the business environment can be driven by various developments, including:

  • Globalisation of business – increased competition and global customers as domestic markets become saturated and companies are able to compete easily anywhere in the world
  • Science and technology developments, especially in communications (the internet) and transport (particularly air travel)
  • Mergers, acquisitions and strategic alliances
  • Changing customer values and behaviour
  • Increased scrutiny of business decisions by government and the public
  • Increased liberalisation of trade, and deregulation and co-operation between business and government have eased access to foreign markets
  • Changes in business practices – downsizing, outsourcing and re-engineering
  • Changes in the social and business relationships between companies and their employees, customers and other stakeholders
6.5 Determining strategy

The ERM highlights the need for well-defined objectives and strategies in different parts of an organisation as well as for the organisation as a whole. The organisation needs to consider three levels of strategy.

  • Corporate: the general direction of the whole organisation
  • Business: how the organisation or its business units tackle particular markets
  • Operational/functional: specific strategies for different departments of the business
6.5.1 Corporate strategy

Corporate strategy is concerned with what types of business the organisation is in. It ‘denotes the most general level of strategy in an organisation’ (Johnson and Scholes).

Aspects of corporate strategy

Characteristic Comment
Scope of activities Strategy and strategic management impact on the whole organisation:

all parts of the business operation should support and further the strategic plan.

Environment The organisation counters threats and exploits opportunities in the environment (customers, clients, competitors).
Resources Strategy involves choices about allocating or obtaining corporate resources now and in the future.
Values The values of people with power in the organisation influence its strategy.
Timescale Corporate strategy has a long-term impact.
6.5.2 Business strategy

Business strategy includes such decisions as whether to segment the market and specialise in particularly profitable areas (discussed below), or to compete by offering a wider range of products.

6.5.3 Operational strategy

Operational or functional strategies deal with specialised areas of activity.

Functional area Comment
Marketing Devising products and services, pricing, promoting and distributing them, in order to satisfy customer needs at a profit. Marketing and corporate strategies are interrelated
Production Factory location, manufacturing techniques, outsourcing, and so on
Finance Ensuring that the firm has enough financial resources to fund its other strategies by identifying sources of finance and using them effectively
Human resources management Secure personnel of the right skills in the right quantity at the right time, and ensure that they have the right skills and values to promote the firm’s overall goals
Information systems A firm’s information systems are very important, as an item of expenditure, as administrative support and as a tool for competitive strength
R&D New products and techniques
6.6 Areas of strategic decision-making
6.6.1 Markets

One key decision is how the markets within which the business operates are determined.

As well as making broad decisions about the markets in which they will trade, businesses will also determine which segments within those markets they will target.

The total market consists of widely different groups of consumers. However, each group consists of segments, people (or organisations) with common needs and preferences, who perhaps react to ‘market stimuli’ in much the same way. Each market segment can become a target market for an organisation.

There are many possible bases for segmentation.

  • Geographical area
  • Age
  • End use (eg work or leisure)
  • Gender
  • Level of income
  • Occupation
  • Education
  • Religion
  • Ethnicity
  • Nationality
  • Social class
  • Buyer behaviour
  • Lifestyle

Clearly the segment decisions will have an impact on the risks that the business faces. Choice of geographical area will influence the level of currency and trading risks. Targeting a market where buyer behaviour is not very stable may involve higher risk levels but also perhaps higher returns.

6.6.2 Business structure

Business structure impacts significantly on the application of the COSO model. The COSO cube demonstrates clearly that the model needs to be applied in each business unit, so how these units are constituted and the autonomy that they are given will have a significant influence on how risk management is carried out.

Divisionalisation is the division of a business into autonomous regions or product businesses, each with its own revenues, expenditures and capital asset purchase programmes, and therefore each with its own profit and loss responsibility and decision-making.

Each division of the organisation might be:

  • A subsidiary company under the holding company
  • A profit centre or investment centre within a single company
  • A strategic business unit (SBU) within the larger company, with its own objectives The advantages and disadvantages of divisionalisation include the following.
Advantages Disadvantages
Focuses the attention of management below ‘top level’ on business performance In some businesses, it is impossible to identify completely independent products or markets for which separate divisions can be set up.
Reduces the likelihood of unprofitable products and activities being continued Divisionalisation is only possible at a fairly senior management level, because there is a limit to how much discretion can be used in the division of work. For example, every product needs a manufacturing function and a selling function.
Encourages a greater attention to efficiency, lower costs and higher profits There may be more resource problems. Many divisions get their resources from head office in competition with other divisions.
6.7 Setting risk appetite and risk tolerance

An organisation needs to have objectives in place and an idea of what strategies can be used to implement those objectives in order for management to identify risks connected with those strategies. However, COSO emphasises that overall risk strategy must be considered when objectives are set and the risk appetite (the risks the directors wish to accept) is decided.

Risk tolerance (the risks the organisation bears in relation to particular strategies) needs to be aligned with risk appetite.

Factors directors will take into account include the risks of failure associated with a new product, the need for risky new strategies to expand the company and the level and speed of change in the market or environment.



Paul Moore, in his evidence to the Treasury Select Committee on HBOS, highlighted examples of excessive risk taking.

‘There must have been a very high risk if you lend money to people who have no jobs, no provable income and no assets. If you lend that money to buy an asset which is worth the same or even less than the amount of the loan and secure that loan on the value of that asset purchased, and then assume that asset will always continue to rise in value, you must be pretty much close to delusional.’


Enterprise risk management requires the entity to take a portfolio view of risk. Management should consider how individual risks interrelate and develop an entity perspective from the business unit and entity levels.

The Turnbull report also provides guidance on what the board should consider when setting objectives:

  • The nature and extent of the risks facing the company
  • The extent and categories of risk which it regards as acceptable for the company to bear  The likelihood of the risks materialising
  • The company’s ability to reduce the incidence and impact on the business of risks that do materialise
  • The costs of operating particular controls relative to the benefits obtained in managing the related risks



Johnson and Scholes have identified various change management strategies that could be used to embed a new risk culture.

Method Techniques Benefits Drawbacks
Education and communication •       Small group briefings

•       Newsletters

•       Management development

•       Training

Participation and involvement •       Small groups

•       Delegates and representatives

Facilitation and support •       One on one counselling

•       Personal development

•       Provision of organisational resources

Negotiation and agreement •       Provision of rewards

•       Collective bargaining

Manipulation and co-optation •       Influence staff that are positively disposed

•       Buy-off informal leaders

•       Provide biased information

Explicit and implicit coercion •       Threaten staff with penalties

•       Create sense of fear

•       Victimise individuals to send message to the rest



Complete the table by identifying the benefits and drawbacks of each strategy.



Method Techniques Benefits Drawbacks
Education and communication •       Small group briefings

•       Newsletters

•       Management development

•       Training

Overcomes lack of information Time consuming

Direction of change may be unclear

Can’t cope with change that opposes vested interests

Participation and involvement •      Small groups

•      Delegates and representatives

Increases ownership of decisions and change

May improve quality of decisions

Time consuming

Changes are limited to existing paradigm

Facilitation and support •       One on one counselling

•       Personal development

•       Provision of organisational resources

Creates learning Minimises feelings of being left out No guarantee of valuable outcome

Very slow

Negotiation and agreement •       Provision of rewards

•       Collective bargaining

Retains goodwill Deals with powerful interests May sacrifice change to need for agreement

Agreements may not be adhered to

Manipulation and co-optation •       Influence staff that are positively disposed

•       Buy-off informal leaders

•       Provide biased information

Can remove powerful obstacles

Creates ambassadors for change


Ethically questionable

Becomes like blackmail

May eliminate trust

Explicit and implicit coercion •       Threaten staff with penalties

•       Create sense of fear

•       Victimise individuals to send message to the rest


Management control direction of change

Ethically questionable

May eliminate trust

May rebound in future when management are weak


Hopefully you will be able to draw on some of your own experiences when answering this question.


Chapter Roundup

Management responses to risk are not automatic, but will be determined by their own attitudes to risk, which in turn may be influenced by cultural factors.
Organisations’ attitudes to risks will be influenced by the priorities of their stakeholders and how much influence stakeholders have. Stakeholders that have significant influence may try to prevent an organisation bearing certain risks.
The internal or control environment is influenced by management’s attitude towards control, the organisational structure and the values and abilities of employees.
Risk awareness should be embedded within an organisation’s processes, environment, culture, structure and systems. Organisations should issue a risk policy statement and maintain a risk register.
The board has overall responsibility for risk management as an essential part of its corporate governance responsibilities. Responsibilities below board level will depend on the extent of delegation to line managers and whether there is a separate risk management function.
The board’s objective-setting process must encompass various levels of objectives. Risk appetite and risk tolerance will have a significant impact on objectives.

Quick Quiz

1        Match the term to the definition.

  • Risk appetite
  • Risk capacity
  • Risk attitude
    • The nature and strength of risks that an organisation is able to bear
    • The nature and strength of risks that an organisation is prepared to bear
    • The directors’ views on the level of risk that they consider desirable 2          What are the main elements that should be covered by a risk policy statement?
  • Which of the following is not an argument in favour of establishing a risk management committee that is separate from the audit committee?
    • The risk management committee can be staffed by executive directors.
    • Because they are non-executive directors, members of the audit committee may have insufficient time to consider in sufficient detail all the major risks faced by the company.
    • The risk management committee can concentrate on areas where risks are particularly high.
    • The role of the audit committee is constrained by corporate governance codes, whereas a risk management committee can have a much wider brief.
  • Shareholders’ principal concern is always threats to the level of dividend they receive.



  • What are the main factors that will be reflected in the organisation’s control environment?
  • Fill in the blank:

…………………………………. is the pattern of basic assumptions that a given group has invented, discovered or developed in learning to cope with its problems.

  • Name Granger’s three types of objectives.
  • What are the main contents of a risk register?

Answers to Quick Quiz

  • (a) (ii) (b) (i) (c) (iii)
  •  Definitions of risk and risk management
    • Objectives of risk policy
    • Regulatory requirements
    • Benefits of risk management
    • How risk management is linked to strategic decision-making and performance
    • What areas of risk management (risk avoidance, risk reduction) are particularly important
    • Risk classification
    • Roles of board, managers, staff and audit and risk committees
    • Internal control framework and important controls
    • Other tools and techniques
    • Assurance reporting
    • Role of training
    • How to obtain help
  • D The role of the audit committee can go beyond what is suggested in the corporate governance codes.
  • Shareholders may prefer to make a long-term capital gain.
  •  The philosophy and operating style of the directors and management
    • The entity’s organisational structure and methods of assigning authority and responsibility

(including segregation of duties and supervisory controls)

  • The directors’ methods of imposing control, including the internal audit function, the functions of the board of directors and personnel policies and procedures
  • The integrity, ethical values and competence of directors and staff
  • Culture
  •  Mission
    • Corporate objectives
    • Unit objectives
  •  List of main risks
    • Priorities for tackling risks
    • Who is responsible for dealing with risks
    • Action taken
    • Risk levels before and after action taken



Number Level Marks Time
Q5 Examination 25 49 mins



We have already mentioned risks when discussing internal controls. In this
chapter we look at the risks organisations face. You will have encountered
categorisation of risks in your auditing studies – the inherent, control, detection
classification. While useful in an external audit context, there are more useful
ways of classifying risks faced by organisations, partly because the external
auditors are most concerned with risks relating to financial statements,
whereas directors have to take a wider perspective.
In Section 1 we draw the important distinction between the strategic risks
(integral, long-term risks that the board is likely to be most concerned with)
and operational risks (largely the concern of line management). Section 2 lists
many of the common business risks. However, it is not comprehensive and you
may have to use your imagination to identify other risks.
In Section 3 we look at the processes for identifying risks. This leads on in
Chapter 7 to the processes for assessing how serious risks are.

Study guide

    Intellectual level
C2 Categories of risk  
(a) Define and compare (distinguish between) strategic and operational risks. 2
(b) Define and explain the sources and impacts of common business risks. 2
(c) Describe and evaluate the nature and importance of business and financial risks. 3
(d) Recognise and analyse the sector or industry specific nature of many business risks. 2
C3 Identification, assessment and measurement of risk  
(h) Explain and evaluate the concepts of related and covariant risk factors. 3

Exam guide

When trying to identify risks in the exam, consider the scenario and in particular what aspects of the scenario are currently changing – these will point you towards important risks. The most important question, though, when considering what risks could affect an organisation is ‘What could go wrong?’

                                  1 Strategic and operational risks    12/08, 12/10, 12/12


Strategic risks are risks that relate to the fundamental decisions that the directors take about the future of the organisation.

Operational risks relate to matters that can go wrong on a day-to-day basis while the organisation is carrying out its business.

There are many different types of risks faced by commercial organisations, particularly those with international activities.



You only need to glance at the business pages of a newspaper on any day you like to find out why risk management is a key issue in today’s business world. For example, look at some of the main stories in the UK on the Daily Telegraph’s business pages on a single day.

  • A story about the then likely failure of MG Rover. This was in spite of the fact that the four owners of Phoenix Venture Holdings, who bought MG Rover for just £10 in 2000, had made more than £30m for themselves since. They had been heavily criticised for handing themselves a four-way split of a £10m ‘IOU’ note within months of the deal’s completion in 2000. They also set up a £16.5m pension fund for company directors and separately took control of a lucrative car financing business.
  • A story about employees of the Bermuda office of the insurer American International Group (AIG), who were caught trying to destroy documents as the company faced ever-expanding enquiries into the conduct of the business.
  • A story about how Glaxo faces claims in the US courts that its patents for the Aids drug AZT are invalid. The patents are worth around £1.1bn a year to Glaxo which controls 40% of the lucrative Aids drug market.
  • A story about clothing retailer Alexon, which estimated that £3m would be knocked off its profits as a result of the collapse of Allders, the stores where it ran 118 concessions. The story also notes poor sales at the Alexon group’s youth fashion chain Bay Trading. ‘The company refused to blame the weather’. Robin Piggot, finance director, said: ‘We were trimming the value of our garments, making them cheaper and cheaper but less interesting’.
  • A story about how shoppers may face shortages of pasta and garlic bread as a result of a fire in a factory at Burton-on-Humber owned by chilled food producer Geest.

Here we can observe risks to the wellbeing of companies arising from questionable dealings by directors, questionable actions of employees, the actions of competitors, the problems of customers/partners, the weather, poor product design and fire. And all on a single day!


Exam questions will cover a range of risks, not just financial risks.
Exam focus point
1.1 Strategic risks 6/14
Strategic risk is the potential volatility of profits caused by the nature and type of the business operations.  Business risks are strategic risks that threaten the survival of the whole business.
Key terms

The most significant risks are focused on the strategy the organisation adopts, including concentration of resources, mergers and acquisitions and exit strategies. As we discussed in Chapter 5 the market segments the business chooses will be a significant influence. These will have major impacts on costs, prices, products and sales, as well as the sources of finance used. Business risks, the most serious risks, are likely to be greatest for those in start-up businesses or cyclical industries. However, perhaps the most notable victim of the credit crunch over the last few years, Lehman Brothers, was not immune to business risks even after 158 years of operating.

Organisations also need to guard against the risk that business processes and operations are not aligned to strategic goals, or are disrupted by events that are not generated by business activities.

Strategic risks can usefully be divided into:

  • Threats to profits, the magnitude of which depends on the decisions the organisation makes about the products and services it supplies
  • Threats to profits that are not influenced by the products or services the organisation supplies

Risks to products and services include long-term product obsolescence. Changes in technology also have long-term impacts if they change the production process. The significance of these changes depends on how important technology is in the production processes. Long-term macroeconomic changes, for example a worsening of a country’s exchange rate, are also a threat.

Non-product threats include risks arising from the long-term sources of finance chosen and risks from a collapse in trade because of an adverse event, an accident or natural disaster. 1.1.1 Factors influencing strategic risks

Factors that determine the level of strategic risks will include:

  • The types of industries/markets within which the business operates
  • The state of the economy
  • The actions of competitors and the possibility of mergers and acquisitions
  • The stage in a product’s life cycle, higher risks in the introductory and declining stages
  • The dependence on inputs with fluctuating prices, eg wheat, oil
  • The level of operating gearing – the proportion of fixed costs to total costs
  • The flexibility of production processes to adapt to different specifications or products
  • The organisation’s research and development capacity and ability to innovate  The significance of new technology

There may be little management can do about some of these risks; they are inherent in business activity. However, strategies such as diversification can contribute substantially to the reduction of many business risks.

1.2 Operational risks

Key term Operational or process risk is the risk of loss from a failure of internal business and control processes.

Operational risks include:

  • Losses from internal control system or audit inadequacies
  • Non-compliance with regulations or internal procedures
  • Information technology failures
  • Human error
  • Loss of key-person risk
  • Fraud
  • Business interruptions

The way operations are organised will influence the level of risks and the ways in which risks are managed. The decisions about structure, such as the level of autonomy to allow divisions discussed in Chapter 5, will be significant here.

1.3 Strategic and operational risks

The main difference between strategic and operational risks is that strategic risks relate to the organisation’s longer-term place in, and relations with, the outside environment. Although some of them relate to internal functions, they are internal functions or aspects of internal functions that have a key bearing on the organisation’s situation in relation to its environment. Operational risks are what could go wrong on a day-to-day basis, and are not generally very relevant to the key strategic decisions that affect a business, although some (for example a major disaster) can have a major impact on the business’s future.

You may also think that, as strategic risks relate primarily to the outside environment that is not under the organisation’s control, it is more difficult to mitigate these risks than it is to deal with the risks that relate to the internal environment that is under the organisation’s control.

Exam focus        In fact there have been a number of questions in the P1 exam where serious operational risks, caused by point poor internal procedures, have resulted in catastrophes for the organisations described in the questions. Factors contributing to high operational risks have included prioritising profit maximisation/cost minimisation over effective risk management, inadequate testing of the safety of new products and ignoring warning signs of risky conditions.

Many of the risks discussed in Section 2 may be strategic or operational.

  • For example, the legal risk of breaching laws in day-to-day activities (for example an organisation’s drivers exceeding the speed limit) would be classed as an operational risk. However, the legal risk of stricter health and safety legislation forcing an organisation to make changes to its production processes would be classed as a strategic risk, as it is a long-term risk impacting seriously on the way the business produces its goods.
  • The same is true of information technology risks. The risks of a system failure resulting in a loss of a day’s data would clearly be an operational risk. However, the risks from using obsolete technology would be a strategic risk, as it would affect the organisation’s ability to compete with its rivals.

Exam focus        December 2008 Question 1 asked students to discuss strategic and operational risks and explain why a point          business decision was a source of strategic risk.

2 Examples of risks faced by organisations

FAST FORWARD             Risks can be classified in various ways, including financial, product, legal, IT, operational, fraud and reputation.

                                  2.1 Categories of risk                                                12/14, 6/15

There are many different types of risks faced by organisations, particularly those with commercial or international activities. The nature of these risks is discussed briefly below.  Exam focus          Questions for this paper will undoubtedly cover a range of risks, not just financial risks.


                                  2.1.1 Related and correlated risks                                              06/13

A major theme running through this section is that many risks are not independent of each other. They may be related because the causes of the risk are the same, or because one type of risk links to another.

One type of risk relationship is risk correlation or co-variance, where two risks vary together. Where positive correlation exists, the risks will increase or decrease together. If there is negative correlation, one risk will increase as the other decreases and vice versa. The relationship between the risks is measured by the correlation coefficient. A figure close to +1 shows high positive correlation, and a figure close to –1 high negative correlation.

2.2 Entrepreneurial risk

Entrepreneurial risks are the risks that arise from carrying out business activities. Entrepreneurial risk has to be incurred if a business is to gain returns. Entrepreneurial risk is forward-looking and opportunistic rather than negative and to be avoided.

Entrepreneurial risk includes the risks of a possible range of returns from a major investment or profits being lessened by competitor’s activities. Remember that all businesses apart from monopolies face risks from competitors if they are to carry on business. In addition, it will be necessary to take some risks when doing business to achieve the level of returns that shareholders demand.

A number of the risks discussed later in this section are strongly linked to entrepreneurial risks. A manufacturer will have to bear the risks arising from developing new products if it is to develop its business, but obviously has the potential for returns from new products to be positive and much greater than it may have expected. A company involved in hazardous activities, for example one that operates in the extractive industries, will inevitably face high levels of health and safety risks.

                                  2.3 Financial risk                                                        06/13, 6/14

Financial risks include reductions in revenues or profits, or incurring losses. The ultimate financial risk is that the organisation will not be able to continue to function as a going concern.

Financial risks include the risks relating to the structure of finance the organisation has, in particular the risks relating to the mix of equity and debt capital, and whether the organisation has an insufficient longterm capital base for the amount of trading it is doing (overtrading). Organisations must also consider the risks of fraud and misuse of financial resources. Longer-term risks include currency and interest rate risks, as well as market risk. Shorter-term financial risks include credit risk and liquidity risk.

2.3.1 Financing risks

There are various risks associated with sources of finance.

  • Long-term sources of finance being unavailable or ceasing to be available
  • Taking on commitments without proper authorisation
  • Taking on excessive commitments to paying interest that the company is unable to fulfil
  • Having to repay multiple sources of debt finance around the same time
  • Being unable to fulfil other commitments associated with a loan
  • Being stuck with the wrong sort of debt (floating-rate debt in a period when interest rates are rising, fixed-rate debt in a period when interest rates are falling)
  • Excessive use of short-term finance to support investments that will not yield returns until the long term
  • Ceding of control to providers of finance (for example banks demanding charges over assets or specifying gearing levels that the company must fulfil)

The attitudes to risk of the board and major finance providers will impact significantly on how risky the company’s financial structure is.

2.3.2 Liquidity risk

Key term          Liquidity risk is the risk of loss due to a mismatch between cash inflows and outflows.

If a business suddenly finds that it is unable to cover or renew its short-term liabilities (for example, if the bank suspends its overdraft facilities), there will be a danger of insolvency if it cannot convert enough of its current assets into cash quickly. However, current liabilities are often a cheap method of finance (trade payables do not usually carry an interest cost). Businesses may therefore consider that, in the interest of higher profits, it is worth accepting some risk of insolvency by increasing current liabilities, taking the maximum credit possible from suppliers.

If short-term funding is obtained to cover liquidity problems, the business may have to pay an excessively high borrowing rate. It will then be subject to interest rate risk (discussed below) on borrowing rates and so there is a potentially strong relationship between interest rate risks and liquidity risks.

Liquidity risk can also be extended to cover the risk of gaining a poor liquidity reputation, and therefore having existing sources of finance withdrawn as well. There is also asset liquidity risk, failure to realise the expected value on the sale of an asset due to lack of demand for the asset or having to accept a lower price due to the need for quick funds.

2.3.3 Cash flow risks

Cash flow risks relate to the volatility of a firm’s day-to-day operating cash flows. A key risk is having insufficient cash available because cash inflows have been unexpectedly low, perhaps due to delayed receipts from customers. If for example a firm has had a very large order, and the customer fails to pay promptly, the firm may not be able to delay payment to its supplier in the same way.

2.3.4 Gearing risk

Gearing risks are the risks of financial difficulty through taking on excessive commitments connected with debt. However, the links between gearing and risk are not straightforward. Pecking order theory suggests that managers will prefer to use debt rather than equity finance to finance new investments or expansion, since that sends a signal to finance providers that they are confident about the future success of the company.

2.3.5 Credit risk

Key term   Credit risk is the risk to a company from the failure of its debtors to meet their obligations on time.

The most common type of credit risk is when customers fail to pay for goods that they have been supplied on credit.

A business can also be vulnerable to the credit risks of other firms with which it is heavily connected. A business may suffer losses as a result of a key supplier or partner in a joint venture having difficulty accessing credit to continue trading.

Management of credit risk is of particular importance to exporters. You may remember from earlier studies that various arrangements are available to assist in this, such as documentary credits, bills of exchange, export credit insurance, export factoring and forfaiting.

Liquidity risk will often be very strongly correlated to credit risk. If customers delay paying their bills, clearly there is a stronger risk that the business will not have sufficient monies to settle its own liabilities.    

2.3.6 Currency risk
Currency risk is the possibility of loss or gain due to future changes in exchange rates.

Key term

When a firm trades with an overseas supplier or customer, and the invoice is in the overseas currency, it will expose itself to exchange rate or currency risk. Movement in the foreign exchange rates will create risk in the settlement of the debt – ie the final amount payable/receivable in the home currency will be uncertain at the time of entering into the transaction. Investment in a foreign country or borrowing in a foreign currency will also carry this risk.

There are three types of currency risk.

  • Transaction risk – arising from exchange rate movements between the time of entering into an international trading transaction and the time of cash settlement
  • Translation risk – the changes in balance sheet values of foreign assets and liabilities arising from retranslation at different prevailing exchange rates at the end of each year
  • Economic risk – the effect of exchange rate movements on the international competitiveness of the organisation, eg in terms of relative prices of imports/exports, the cost of foreign labour

Of these three, transaction risk has the greatest immediate impact on day-to-day cash flows of an organisation. There are many ways of reducing or eliminating this risk, for example by the use of hedging techniques or derivatives. However, derivatives (financial instruments including futures or options) can be used for speculation. If they are, risks will increase.

2.3.7 Interest rate risk

As with foreign exchange rates, future interest rates cannot be easily predicted. If a firm has a significant amount of variable (floating) rate debt, interest rate movements will give rise to uncertainty about the cost of servicing this debt. Conversely, if a company uses a lot of fixed rate debt, it will lose out if interest rates begin to fall. Like currency risks, however, interest rate risks have upsides as well as downsides. A business with floating rate debt will benefit from lower costs if interest rates fall.

There are many arrangements and financial products that a firm’s treasury department can use to reduce its exposure to interest rate risk. The treasury department may use hedging techniques similar to those used for the management of currency risk.

2.3.8 Finance providers’ risk

There are also risks to the organisation if it provides finance for others. If it lends money, there is the risk of default on debt payments, and ultimately the risk that the borrower will become insolvent. If it invests in shares, there is a risk that it will receive low or no dividends, and share price volatility will mean that it does not receive any capital gains on the value of the shares.

However, for this paper and in practice you need to know about non-financial risks as well as financial risks. Remember that performance objective 4 on your PER includes the identification of potential risks.


Case Study


The global credit crunch 

A credit crunch is a crisis caused by banks being too nervous to lend money to customers or to each other. When they do lend, they will charge higher rates of interest to cover their risk.

One of the first obvious high-profile casualties of the recent global credit crisis was New Century Financial – the second largest sub-prime lender in the United States – which filed for Chapter 11 bankruptcy in early 2007. By August 2007, credit turmoil had hit financial markets across the world.

In September 2007 in the UK, Northern Rock applied to the Bank of England for emergency funding after struggling to raise cash. This led to Northern Rock savers rushing to empty their accounts as shares in the bank plummeted. In February 2008 the UK Chancellor of the Exchequer, Alistair Darling, announced that Northern Rock was to be nationalised.

Years of lax lending on the part of the financial institutions inflated a huge debt bubble as people borrowed cheap money and ploughed it into property. Lenders were quite free with their funds – particularly in the US where billions of dollars of ‘Ninja’ mortgages (no income, no job or assets) were sold to people with weak credit ratings (sub-prime borrowers). The idea was that if these sub-prime borrowers had trouble with repayments, rising house prices would allow them to remortgage their property. This was a good idea when US Central Bank interest rates were low – but such a situation could not last. In June 2004, following an interest rate low of 1%, rates in the US started to climb and house prices fell in response. Borrowers began to default on mortgage payments and the seeds of a global financial crisis were sown.

The global crisis stemmed from the way in which debt was sold onto investors. The US banking sector packaged sub-prime home loans into mortgage-backed securities known as collateralised debt obligations (CDOs). These were sold onto hedge funds and investment banks that saw them as a good way of generating high returns. However, when borrowers started to default on their loans, the value of these investments plummeted, leading to huge losses by banks on a global scale.

In the UK, many banks had invested large sums of money in sub-prime backed investments and have had to write off billions of pounds in losses. On 22 April 2008, the day after the Bank of England unveiled a £50 billion bailout scheme to aid banks and ease the mortgage market, Royal Bank of Scotland (RBS) admitted that loan losses hit £1.25 billion in just six weeks. In August 2008, RBS reported a pre-tax loss of £691 million (after writing down £5.9 billion on investments hit by the credit crunch) – one of the biggest losses in UK corporate history. At the beginning of 2009, RBS announced that it expected to suffer a loss of up to £28 billion as a result of the credit crunch. On 3 March 2008, it was reported that HSBC was writing off sub-prime loans at the rate of $51 million per day.


2.3.9 Accounts risks

There are various risks associated with the requirements to produce accounts that fairly reflect financial risks. The main risk is loss of reputation or financial penalties through being found to have produced accounts that are misleading. This doesn’t just apply to misreporting financial risks, it also includes misleading reporting in other areas, either in accounts or in other reports, for example environmental reporting. The problems companies face if they use financial instruments extensively to manage risks are that there may well be considerable uncertainty affecting assets valued at market prices when little or no market currently exists for those assets.

However, accounts that fairly account for, and disclose, risks may also be problematic if investors react badly. This particularly applies if income becomes increasingly volatile as a result of using fair value accounting for financial instruments. This may have an adverse impact on the ability of companies to pay dividends and on companies’ share price and cost of capital, if accounts users find it difficult to determine what is causing the volatility. Investors may not be sure if low market valuations of financial assets are temporary or permanent.

                                 2.4 Market risk                                                         12/08, 12/11
Market risk is a risk of gain or loss due to movement in the market value of an asset – a stock, a bond, a loan, foreign exchange or a commodity – or a derivative contract linked to these assets. Market risk is often discussed in the context of the stock markets.

Market risk is a risk arising from any of the markets in which a company operates, including resource markets (inputs), product markets (outputs) or capital markets (finance).

Market risk is the risk that the fair values or cash flow of a financial instrument will fluctuate due to market prices. Market risk reflects interest rate risk, currency risk and other price risks. (IFRS 7)

You may encounter a number of different definitions. Key term

Market risk is connected to interest rate or foreign exchange rate movements when derivatives are used to hedge these risks. Market risk can be analysed into various other risks that cover movements in the reference asset, the risk of small price movements that change the value of the holder’s position. Market risks also include the risks of losses relating to a change in the maturity structure of an asset, the passage of time or market volatility. Market risk can also apply to making a major investment, for example a recently floated company, where the market price has not yet reached a ‘true level’, or if there are other uncertainties about the price, for example lack of information.

Market risk is a good example of a speculative risk. Businesses can benefit from favourable price movements as well as lose from adverse changes. These considerations are very relevant when considering the work of the treasury department.

One important decision when running a treasury department is whether to restrict market activities to hedging market risks arising from other activities, such as exchange risks from trading abroad, or whether to speculate on the markets with a view to earning profits from speculation. A hedging approach is not itself a risk-free activity and a business could make large losses through poor decision-making. However, speculating on the markets would naturally be expected to carry greater risk of loss and risk incurring losses of much greater magnitude than hedging activities.

Market risks may also arise because other risks have crystallised. Poor weather, for example, may push up the price of raw materials as they become scarcer or more difficult to transport. As well as suffering higher prices, a business may also suffer delays in supply for the same reasons.                



In September 2011, Kweku Adoboli, a trader at the Swiss bank UBS, was arrested after allegedly having lost the bank £1.5 billion. The frauds that Kweku Adoboli was charged with allegedly took place between October 2008 and September 2011 and allegedly involved reporting fictitious hedges against legitimate derivative transactions. Mr Adoboli worked for UBS’s global synthetic equities division, buying and selling exchange traded funds which track different types of stocks or commodities such as precious metals. Mr Adoboli was convicted in November 2012 on charges of fraud.

In September 2011, UBS announced plans to scale back its investment banking activities to reduce its risks. Its chief executive, Oswald Gruebel, resigned. In November 2010 Mr Gruebel reportedly justified the bank’s decision at that time to increase its risk appetite with these words: ‘Risk is our business. I can assure you, as long as I’m here, as long as my colleagues are here, we do know about risk. (If things go wrong) you won’t hear us saying we didn’t know it.’

A subsequent investigation by UBS revealed a failure of key controls in two areas:

  • Failure to obtain bilateral confirmation with counterparties of certain trades within the bank’s equities business
  • Failure by those involved in inter-desk reconciliation processes to ensure transactions were valid and accurately recorded in the bank’s records. Cancellations of, or amendments to, internal trades that should have been supervisor-reviewed were not checked

There was also evidence that compliance systems did detect some unauthorised or unexplained activity, but this was not adequately investigated.


2.5 Product risk

Product risks will include the risks of financial loss due to producing a poor quality product. These include the need to compensate dissatisfied customers, possible loss of sales if the product has to be withdrawn from the market or because of loss of reputation (see below) and the need for expenditure on improved quality control procedures. However, product risks also include the risks involved in developing a new product, and the risks cover the range of outcomes from the products being a great success to a total failure.



Toyota responded to concerns over the safety of its cars by recalling millions of models worldwide during 2009 and 2010. Sales of a number of models were suspended in the US. Although the actions by Toyota aimed to resolve risks to health and safety, the company may have been less effective in mitigating the risks to its reputation. Commentators highlighted an initial reluctance to admit the problem and poor communication of what it intended to do to regain control of the situation. The impact threatened car sales and share price, with investors reluctant to hold Toyota shares because of the level of uncertainty involved.


2.5.1 Legal risks

  • Determination of minimum technical standards that the goods must meet, eg noise levels, contents.
  • Standardisation measures such as packaging sizes
  • Pricing regulations, including credit (eg some countries require importers to deposit payment in advance and may require the price to be no lower than those of domestic competitors.
  • Restrictions on promotional messages, methods and media
  • Product liability; different countries have different rules regarding product liability (ie the manufacturer’s/retailer’s responsibility for defects in the product sold and/or injury caused) – US juries are notoriously generous in this respect
  • Acceptance of international trademark, copyright and patent conventions; not all countries recognise such international conventions

Businesses that fail to comply with the law run the risk of legal penalties and accompanying bad publicity. Companies may also be forced into legal action to counter claims of allegedly bad practice that is not actually illegal.

The issues of legal standards and costs have very significant implications for companies that trade internationally. Companies that meet a strict set of standards in one country may face accusations of hypocrisy if their practices are laxer elsewhere. Ultimately higher costs of compliance, as well as costs of labour, may mean that companies relocate to countries where costs and regulatory burdens are lower.

Bear in mind that organisations may also face legal risks from lack of legislation (or lack of enforcement of legislation) designed to protect them.



The Welsh company Performance Practitioners devised a new product, the Sales Activator, for the global sales development market. This product needed to be protected from imitators, particularly as it gave access to new markets overseas.

Performance Practitioners found that it was essential to obtain expert advice. The company decided on a portfolio of measures. Copyright protection was free, but a weak form of protection in many environments. The company also registered the Sales Activator as a trademark and communicated its intellectual property rights at every opportunity.

However, Performance Practitioners had to risk not being able to take effective action to protect its rights if it wanted to operate in some markets. In some countries it can take months for an intellectual property case to come to court. Performance Practitioners also had to consider the need to limit costs because of its desire to invest in the rest of its business. Therefore some options, like global patent protection, were too expensive. Nevertheless, the company needed enough funds to police its rights. The ability to protect intellectual property is diminished if a company cannot afford to take offenders to court.


2.5.2 Products and cultural differences

National culture may have a significant impact on the demand for products. For example, consumers in some countries prefer front-loading washing machines and others prefer top-loading washing machines. In some countries the lack of electricity will restrict the demand for electronic items.

Products also have symbolic and psychological aspects as well as physical attributes. As a result, entry into a market with a different set of cultural, religious, economic, social and political assumptions may cause extreme consumer reactions.

Some products are extremely sensitive to the environmental differences, which bring about the need for adaptation. Others are not at all sensitive to these differences, in which case standardisation is possible.

Environmentally sensitive  Environmentally insensitive 
Adaptation necessary

•              Fashion clothes

•              Convenience foods

Standardisation possible

•              Industrial and agricultural products

•              World market products, eg jeans



How might you attempt to manage the risk that you would lose money developing an entirely new product that turned out to be unsuccessful?



Conduct market research, even if it is only possible to describe the concept of the new product to potential customers. Perhaps only develop product ideas that derive from customers. (Though there is a risk that they might not be good ideas, and you may miss the opportunity to develop ideas that would appeal to customers, if only they were asked.) Do not commit to major expenditure (for example a new factory, large inventories of raw materials) without creating and market testing a prototype. You may have had other ideas. The key is to gather as much information as possible.


2.6 Legal and political risks

2.6.1 Legal risks

Breaches of legislation, regulations or codes of conduct can have very serious consequences for organisations. Risks include financial or other penalties (including ultimately closedown), having to spend money and resources in fighting litigation and loss of reputation. Key areas include health and safety, environmental legislation, trade descriptions, consumer protection, data protection and employment issues. Legal risks may therefore be strongly correlated with other risks if a business is potentially affected by legislation that relates to those other risks, for example health and safety or environmental legislation.

Governance codes are a particularly important example of best practice, and organisations must consider the risks of breaching provisions relating to integrity and objectivity, and also control over the organisation.

2.6.2 Political risks

Political risk is the risk that political action will affect the position and value of an organisation. It is connected with country risk, the risk associated with undertaking transactions with, or holding assets in, a particular country. 

Political risk is another example of a risk that may have upsides or downsides. Political changes may occur that are favourable to businesses, for example the election of a government that is committed to outsourcing to the private sector activities previously carried on in the state sector.      

Political risks may also be strongly linked to serious reputation risks. We discuss below how reputation risks are dependent on the level of other risks. With political risks, the relationship may work in the other direction. If a company suffers a collapse in its reputation as a result of a public outcry, this may force politicians to take action against it.



In the UK the outcry over the News of the World phone hacking scandal in 2011 resulted in the UK Government setting up two public enquiries and UK Prime Minister David Cameron stating that the existing regulatory body, the Press Complaints Commission, should be replaced.


                                  2.7 Technological risks                                                        12/13

2.7.1 Strategic risks and opportunities

The technological risks discussed below are mainly operational risks with negative consequences. However, investment in technology can have a considerable upside, as well as carrying major risks if the technology fails to work properly. Investment in IT can produce dramatic changes in individual businesses and whole industries. The right strategy may provide a possible source of competitive advantage or new channels for distributing and collecting information and conducting transactions. There are likely to be strong positive correlation between technology risks and product development risk levels, as the success of many products will depend on getting the technology right.

However, the wrong strategy may result in adverse consequences. Directors may decide, for example, that a new system is justified for strategic reasons and force through a system that is impractical for operational purposes, ignoring the valid objections of staff who have to use the system. If in the end the system has to be abandoned, the write-off costs can be large and the damage to operational efficiency significant.

Often though, strategic and operational technological risks may be linked. A management environment where strategic opportunities for the use of information technology are neglected may also be one where operational controls are lax. Management may simply be paying insufficient attention to information technology and systems.     

2.7.2 Physical damage risks

Fire is the most serious hazard to computer systems. Destruction of data can be even more costly than the destruction of hardware. Water is also a serious hazard. In some areas flooding is a natural risk, for example in many towns and cities near rivers or coasts. Basements are therefore generally not regarded as appropriate sites for large computer installations. Wind, rain and storms can all cause substantial damage to buildings. Lightning and electrical storms can play havoc with power supplies, causing power failures coupled with power surges as services are restored.

Organisations may also be exposed to physical threats through the actions of humans. Political terrorism is the main risk, but there are also threats from individuals with grudges. Staff are a physical threat to computer installations, whether by spilling a cup of coffee over a desk covered with papers, or tripping and falling, doing some damage to themselves and to an item of office equipment.

2.7.3 Data and systems integrity risks

The risks include human error, such as entering incorrect transactions, failing to correct errors, processing the wrong files and failing to follow prescribed security procedures. Possible technical errors include malfunctioning hardware or software and supporting equipment such as communication equipment, normal and emergency power supplies and air conditioning units.

Other threats include commercial espionage, malicious damage and industrial action.

These risks may be particularly significant because of the nature of computer operations. The processing capabilities of a computer are extensive, and enormous quantities of data are processed without human intervention, and so without humans necessarily knowing what is going on.

2.7.4 Fraud risk

Computer fraud usually involves the theft of funds by dishonest use of a computer system. Input fraud is where data input is falsified. Good examples are putting a non-existent employee on the salary file or a non-existent supplier on the purchases file. With processing fraud a programmer or someone who has broken into this part of the system may alter a program. Output fraud involves documents being stolen or tampered with and control totals being altered. Cheques are the most likely document to be stolen, but other documents may be stolen to hide a fraud.

Over the last few years there have been rapid developments in all aspects of computer technology and these have increased the opportunities that are available to commit a fraud. The most important of the recent developments is increased computer literacy. The use of public communication systems has increased the ability of people outside the organisation to break into the computer system. These ‘hackers’ could not have operated when access was only possible on site. A consequence of increased use of computers is often a reduction in the number of internal checks carried out for any transaction.  2.7.5 Internet risk 

Establishing organisational links to the internet brings numerous security dangers.

  • Corruptions such as viruses on a single computer can spread through the network to all of the organisation’s computers.
  • If the organisation is linked to an external network, hackers may be able to get into the organisation’s internal network, either to steal data or to cause damage.
  • Employees may download inaccurate information or imperfect or virus-ridden software from an external network.
  • Information transmitted from one part of an organisation to another may be intercepted. Data can be ‘encrypted’ (scrambled) in an attempt to make it unintelligible to hackers.
  • The communications link itself may break down or distort data.

2.7.6 Denial of service attack

A fairly new threat relating to internet websites and related systems is the ‘Denial of Service (DoS)’ attack. A denial of service attack is characterised by an attempt by attackers to prevent legitimate users of a service from using that service. Examples include attempts to:

  • ‘Flood’ or bombard a site or network, thereby preventing legitimate network traffic (major sites such as and Yahoo! have been targeted in this way)
  • Disrupt connections between two machines, thereby preventing access to a service
  • Prevent a particular individual from accessing a service
                                  2.8 Health and safety risk                                                   12/11

Health and safety risks include loss of employees’ time because of injury and the risks of having to pay compensation or legal costs because of breaches. Health and safety risks can arise from:

  • Lack of health and safety policy – due to increased legislation in this area this is becoming less


  • Lack of emergency procedures – again less likely
  • Failure to deal with hazards – often due to a failure to implement policies such as inspection of electrical equipment, labelling of hazards and training
  • Poor employee welfare – not just threats to health such as poor working conditions or excessive exposure to computer monitors, but also risks to quality from tired staff making mistakes
  • Generally poor health and safety culture

Glynis Morris in the book An Accountant’s Guide to Risk Management lists a number of signs.

  • Trailing wires and overloaded electricity sockets
  • Poor lighting
  • Poor ventilation
  • Uneven floor surfaces
  • Sharp edges
  • Cupboards and drawers that are regularly left open
  • Poorly stacked shelves or other poor storage arrangements
  • Excessive noise and dust levels
  • Poor furniture design, workstation or office layout

Morris points out that all these problems can be solved with thought.


2.9 Environmental risk
Environmental risk is a loss or liability arising from the effects of the natural environment on the organisation or a loss or liability arising out of the environmental effects of the organisation’s operations.

Key term

The risk is possibly greatest with business activities such as agriculture and farming, the chemical industry and transportation generally. These industries have the greatest direct impact on the environment and so face the most significant risks. However, other factors may be significant. A business located in a sensitive area, such as near a river, may face increased risks of causing pollution. A key element of environmental risk is likely to be waste management, particularly if waste materials are toxic.

However, as we shall see in Chapter 11, there may be upsides associated with environmental risks and the way they are managed. Businesses may run the risks of incurring unexpectedly high costs if they deal effectively with these risks, but there may also be substantial gains in terms of reputation and how key stakeholders act towards them.

2.10 Fraud risk

All businesses run the risk of loss through the fraudulent activities of employees, including management.



Bankers in Zambia may be accused of fraud because the country’s police do not have enough resources to catch the real fraudsters. The Bankers’ Association of Zambia chairman, Xavier Chibiya, stated that bank staff who processed fraudulent transactions could be arrested. They could lose their jobs or be sent to jail. Bank staff needed to be particularly wary around the Christmas period: ‘Fraudsters normally act during

December when the experienced bankers have gone on break and the experts have also gone on break.’


The following is a list of possible fraud risks; you will see that a number of the signs listed are examples of poor corporate governance procedures, such as overdomination by one person or pressure on the accounting or internal audit departments.

Fraud and error
Previous experience or incidents which call into question the integrity or

competence of management

Management dominated by one person (or a small group) and no effective oversight board or committee

Complex corporate structure where complexity does not seem to be warranted

High turnover rate of key accounting and financial personnel

Personnel (key or otherwise) not taking holidays

Personnel lifestyles that appear to be beyond their known income

Significant and prolonged understaffing of the accounting department

Poor relations between executive management and internal auditors

Lack of attention given to, or review of, key internal accounting data such as cost estimates

Frequent changes of legal advisors or auditors

History of legal and regulatory violations


Fraud and error
Particular financial reporting pressures within an entity Industry volatility

Inadequate working capital due to declining profits or too rapid expansion

Deteriorating quality of earnings, for example increased risk taking with respect to credit sales, changes in business practice or selection of accounting policy alternatives that improve income

The entity needs a rising profit trend to support the market price of its shares due to a contemplated public offering, a takeover or other reason

Significant investment in an industry or product line noted for rapid change

Pressure on accounting personnel to complete financial statements in an unreasonably short period of time Dominant owner-management

Performance-based remuneration

Weaknesses in the design and operation of the accounting and internal controls system A weak control environment within the entity

Systems that, in their design, are inadequate to give reasonable assurance of preventing or detecting error or fraud

Inadequate segregation of responsibilities in relation to functions involving the handling, recording or controlling of the entity’s assets

Poor security of assets

Lack of access controls over IT systems

Indications that internal financial information is unreliable

Evidence that internal controls have been overridden by management

Ineffective monitoring of the system which allows control overrides, breakdown or weakness to continue without proper corrective action

Continuing failure to correct major weakness in internal control where such corrections are practicable and cost effective

Unusual transactions or trends Unusual transactions, especially near the year end, that have a significant effect on earnings

Complex transactions or accounting treatments

Unusual transactions with related parties

Payments for services (for example to lawyers, consultants or agents) that appear excessive in relation to the services provided Large cash transactions

Transactions dealt with outside the normal systems

Investments in products that appear too good to be true, for example lowrisk, high-return products

Large changes in significant revenues or expenses

Fraud and error  
Problems in obtaining sufficient appropriate audit evidence Inadequate records, for example incomplete files, excessive adjustments to accounting records, transactions not recorded in accordance with normal procedures and out-of-balance control accounts

Inadequate documentation of transactions, such as lack of proper authorisation, unavailable supporting documents and alteration to documents (any of these documentation problems assume greater significance when they relate to large or unusual transactions)

An excessive number of differences between accounting records and third party confirmations, conflicting audit evidence and unexplainable changes in operating ratios

Evasive, delayed or unreasonable responses by management to audit enquiries

Inappropriate attitude of management to the conduct of the audit, eg time pressure, scope limitation and other constraints

Some factors unique to an information systems environment which relate to the conditions and events described above Inability to extract information from computer files due to lack of, or noncurrent, documentation of record contents or programs

Large numbers of program changes that are not documented, approved and tested

Inadequate overall balancing of computer transactions and databases to the financial accounts



Question   Procurement fraud
Give examples of indicators of fraud in the tendering process.  


  • Suppliers

Examples include disqualification of suitable suppliers, a very short list of alternatives and continual use of the same suppliers or a single source. The organisation should also be alert for any signs of personal relationships between staff and suppliers.

  • Contract terms

Possible signs here include contract specifications that do not make commercial sense and contracts that include special but unnecessary specifications that only one supplier can meet.

  • Bid and awarding process

Signs of doubtful practice include unclear evaluation criteria, acceptance of late bids and changes in the contract specification after some bids have been made. Suspicions might be aroused if reasons for awarding the contract are unclear or the contract is awarded to a supplier with a poor performance record or who appears to lack the resources to carry out the contract.

  • After the contract is awarded

Changes to the contract after it has been awarded should be considered carefully, along with a large number of subsequent changes in contract specifications or liability limits.

This is perhaps one of the risk areas over which the company can exert the greatest control, through a coherent corporate strategy set out in a fraud policy statement and the setting up of strict internal controls.




A report by UK accountants BDO in July 2010 highlighted the alarming statistic that fraud losses in the UK for the first six months of 2010 were almost the same as for the whole of 2008. The average value of a single fraud had increased to almost £6m. BDO commented that in the past there had been much procurement fraud, with fraudulent employees working with outside accomplices to defraud employers through bogus or inflated invoices for goods and services. More common recently, however, was revenue dilution fraud, where management commits fraud by either setting up companies within companies or diverting lucrative contracts to accomplices.


Probity risk is the risk of unethical behaviour by one or more participants in a particular process.
2.11 Probity risk Key term

Being the victims of bribery or corruption or being pressurised into it are obvious examples of probity risk.



However, assumptions about how different cultures view corruption can also be dangerous. Accountancy magazine ran a series about the major cultural issues involved in dealing with particular countries. Its article on Greece suggested that ‘unorthodox’ methods might be required to be successful there.

‘The concept of a bribe is one that is well understood in Greece.’

Unsurprisingly the magazine received a number of complaints about this article.


Probity risk is also commonly discussed in the context of procurement, the process of acquiring property or services. Guidance issued by the Australian Government’s Department of Finance and Administration Financial Management Group comments that:

‘Procurement must be conducted with probity in mind to enable purchasers and suppliers to deal with each other on the basis of mutual trust and respect. Adopting an ethical, transparent approach enables business to be conducted fairly, reasonably and with integrity. Ethical behaviour also enables procurement to be conducted in a manner that allows all participating suppliers to compete as equally as possible. The procurement process rules must be clear, open, well understood and applied equally to all parties to the process.’

In this context probity risk would not only be the risk that the ‘wrong’ supplier was chosen as a result of improper behaviour, but it relates to other issues as well, for example failing to treat private information given by another party as confidential. It would also relate to the risks of lack of trust making business dealings between certain parties impossible, or time and cost having to be spent resolving disputes arising from the process. Probity risk is clearly linked with reputation risk, discussed below.

There may be a strong relationship between probity risk and political risk. Companies may operate in certain countries where illicit payments can facilitate favourable political action on their behalf. However, they may face severe legal and reputation consequences if they are found to have been involved in corruption. We discuss this further in Chapter 10.

2.12 Knowledge management risk

Knowledge management risk concerns the effective management and control of knowledge resources. Threats might include unauthorised use or abuse of intellectual property, area or system power failures, competitor’s technology or loss of key staff.

2.13 Property risk

Property risks are the risks from damage, destruction or taking of property. Perils to property include fire, windstorms, water leakage and vandalism.

If the organisation suffers damage, it may be liable for repairs or ultimately the building of an entirely new property. There may also be a risk of loss of rent. If a building is accidentally damaged or destroyed, and the tenant is not responsible for the payment of rent during the period the property cannot be occupied, the landlord will lose the rent.

If there is damage to the property, the organisation could suffer from having to suspend or reduce its operations.

There is also the risk of loss of value of property. This may be linked to changes in other risks. For example, perceptions that there is a risk of interest rates rising may depress property prices. A fall in the value of property may in turn have an adverse effect on certain financial risks. A business may find it more difficult to obtain finance on favourable terms if the value of the main security it can offer, its property, is falling.

2.14 Trading risk

Both domestic and international traders will face trading risks, although those faced by the latter will generally be greater due to the increased distances and times involved. The types of trading risk include the following.

2.14.1 Physical risk

Physical risk is the risk of goods being lost or stolen in transit, or the documents accompanying the goods going astray.

2.14.2 Trade risk

Trade risk is the risk of the customer refusing to accept the goods on delivery (due to substandard/ inappropriate goods), or the cancellation of the order in transit.

2.14.3 Liquidity risk                                                                      12/10

Liquidity risk is the inability to finance the organisation’s trading activities. It is generally regarded as a lack of short-term financing needs and a mismatch between short-term assets and liabilities.

2.15 Disruption risk

Obviously one of the most important disruptions is a failure of information technology, but operations may be delayed or prevented for other reasons as well. These include employee error, product problems, health and safety issues, losses of employees or suppliers, problems in obtaining supplies or delivering products because of environmental reasons such as bad weather or legal action.

2.16 Cost and resource wastage risk

Important operational risks for most organisations are incurring excessive costs (through poor procurement procedures, lack of control over expenditure) or waste of employees’ time and resources (employees being unproductive or their efforts being misapplied).

2.17 Organisational risk

Organisational risks relate to the behaviour of groups or individuals within the organisation. These are particularly important to organisations that are going through significant change, as failure by people or teams to adapt may jeopardise change.

2.18 Reputation risk
Reputation risk is a loss of reputation caused as a result of the adverse consequences of another risk.

Key term

Of all the major risks, reputation risk is the risk that is most strongly correlated to other risks, since its level partly depends on the likelihood that other risks materialise.

The other main determinant of the level of reputation risk is how shareholders and other stakeholders react to the other risks crystallising. The loss of reputation may have serious consequences, depending on the strength of stakeholders’ reaction and the influence they have on what happens to the organisation.

The loss of reputation will be usually perceived by external stakeholders, and may have serious consequences, depending on the strength of the organisation’s relationship with them.

So what are likely to be the most significant risks to a business’s reputation?

2.18.1 Poor customer service

This risk is likely to arise because of the failure to understand why the customers buy from the business, how they view the business and what they expect from the business in terms of product quality, speed of delivery and value for money. Early indications of potential reputation risks include increasing levels of returns and customer complaints followed inevitably by loss of business.

2.18.2 Failure to innovate

We have discussed this under strategic risks.

2.18.3 Poor ethics

We shall consider ethics in detail in Part E of this text. We discussed in Chapter 1 the consequences of a poor reputation, principally an unwillingness of stakeholders to engage with the organisation resulting in falling demand, supply and staffing problems and weakening share price as investors lose confidence.

Environmental and social issues may also pose a greater threat to reputation because there is increasing emphasis on them in corporate governance best practice. The 2009 update of the King report in South Africa emphasised sustainability as the primary moral and economic imperative of the 21st century, and it is also a concept rooted in the South African constitution.



Anti-tax avoidance protests caused disruption in 2010 to several of the leading stores in the UK on the Saturday before Christmas, one of the busiest shopping days of the year. The protests resulted in store closures for some time in London and a number of other towns and cities. A significant feature of the protests was that demonstrations were started by people acting autonomously (ie they were not arranged through existing organisations) and were organised using social networking sites.


2.18.4 Poor corporate governance

Poor corporate governance may also be a source of reputation risk. An example is a lack of board diversity, with the board having an exclusively male membership. The most serious consequences of this may be to demotivate female employees and alienate female customers.

Since the risks you’ll be considering for organisations will often be serious, the threat to organisations’ reputation, and probably therefore the financial consequences, will also be serious.

Exam focus point

2.19 Industry-specific risks
Industry-specific risks are the risks of unexpected changes to a business’s cash flows from events or changing circumstances in the industry or sector in which the business operates.

Key term

Unexpected changes can arise for example due to new technology, a change in the law or a rise or fall in the price of a key commodity.



In its 2011 annual report, GlaxoSmithKline – one of the world’s largest pharmaceutical companies – identified a number of key risks that may have a significant impact on business performance and ultimately the value of shareholders’ investment in the company.

‘There are risks and uncertainties relevant to the Group’s business, financial condition and results of operations that may affect the Group’s performance and ability to achieve its objectives. The factors below are among those that the Group believes could cause its actual results to differ materially from expected and historical results.

  • Risk that R&D will not deliver commercially successful new products
  • Failure to obtain effective intellectual property protection for products
  • Expiry of intellectual property rights protection
  • Risk of competition from generic manufacturers
  • Risk of potential changes in intellectual property laws and regulations
  • Risk of substantial adverse outcome of litigation and government investigations
  • Product liability (such as claims for pain and suffering allegedly caused by drugs and vaccines)  Anti-trust litigation
  • Sales and marketing regulation
  • Pricing controls (government intervention in setting prices can affect margins)
  • Regulatory controls (which can affect the length of time a product takes to reach the market, if at


  • Risk of interruption of product supply (including product recalls and interruptions to production)
  • Taxation (including changes in tax laws)
  • Strategic risks relating to sales in emerging markets, such as vulnerability to global financial crisis or limited resources to spend on healthcare
  • Risks that restructuring would not deliver the required cost savings
  • Bribery and corruption claims resulting in legal sanctions
  • Risk of concentration of sales to wholesalers (which results in a concentration of credit risk that could potentially have a material and adverse effect on the Group’s financial results)
  • Global political and economic conditions, affecting consumer markets, distributors and suppliers  Environmental liabilities
  • Accounting standards (that could lead to changes in recognition of income and expenses, thus adversely affecting reported financial results)
  • Failure to protect electronic information and assets
  • Being unable to complete alliances and acquisitions on satisfactory terms, and entering alliances and acquisitions which turn out to have unpredicted liabilities or fail to realise the expected benefits
  • Human resources (failure to continue to recruit and retain the right people could have a significant adverse effect on the Group)

Try listing as many significant risk areas that you think might be of relevance to major international banks. Try to list at least ten risks.



There isn’t a ‘correct’ answer to this question, but shown below are the top 18 risks mentioned by senior bankers in a survey of risks in the banking industry, and published by the Centre for the Study of Financial Innovation in March 2005 (Banana Skins 2005). This list is not comprehensive, and you might have thought of others.

        Too much regulation         Macroeconomic trends
         Credit risk          Insurance sector problems
        Corporate governance          Interest rates
        Complex financial instruments         Money laundering
         Hedge funds          Commodities
         Fraud          Emerging markets
         Currencies         Grasp of new technology
        High dependence on technology          Legal risk
        Risk management techniques         Equity markets

A notable extra was environmental risk which, while positioned low in the overall ranking (28th), was seen to be gaining strongly because of fears about the impact of pollution claims and climate change on bank assets and earnings.


In the exam you may be given a scenario of a specific business and asked to identify the risks. Some of the most significant risks for that business may be industry-specific risks. You may therefore have to use some imagination to identify risks, but don’t be too worried about this sort of question. The sector the business operates in is likely to be fairly mainstream, and the risks therefore will not be too obscure.

Exam focus point

3 Risk identification

Risk identification involves looking at the specific events and conditions that could result in risks materialising.

This section will help you fulfil performance objective 4 of your PER. One of the competencies for objective 3 is the requirement to evaluate activities in your area and identify potential risks.

3.1 Event (risk) identification

Event (risk) identification is part of the COSO framework.

No one can manage a risk without first being aware that it exists. Some knowledge of perils and what items they can affect and how is helpful to improve awareness of whether familiar risks (potential sources and causes of loss) are present, and the extent to which they could harm a particular person or organisation. Managers should also keep an eye open for unfamiliar risks which may be present.

Actively identifying the risks before they materialise makes it easier to think of methods that can be used to manage them.

Risk identification is a continuous process, so that new risks and changes affecting existing risks may be identified quickly and dealt with appropriately, before they can cause unacceptable losses.

Businesses also need to ensure that risks are identified:

  • At an organisational level, particularly key risks affecting strategy such as risks relating to competition
  • At a divisional level, for example supply shortages
  • At a day-to-day operational level, for example the risks of machine breakdown delaying production



Mazda collects quality information about defects from its dealers.

Mazda’s risk analysis highlighted the threat of widespread influenza to the company’s operations. When a new strain of influenza began to spread in 2009, Mazda announced measures to prevent infection and procedures to follow in the case of exposure.


3.2 Risks and opportunities

COSO emphasises that risk identification needs to differentiate negative-impact risks from opportunities, which may have positive consequences and a major impact on strategy. Management should channel opportunities back to strategy setting.

3.3 Risk conditions

Means of identifying conditions leading to risks (potential sources of loss) include:

  • Physical inspection, which will show up risks such as poor housekeeping (for example rubbish left on floors, for people to slip on and to sustain fires)
  • Enquiries, from which the frequency and extent of product quality controls and checks on new employees’ references, for example, can be ascertained
  • Checking a copy of every letter and memo issued in the organisation for early indications of major changes and new projects
  • Brainstorming with representatives of different departments
  • Checklists ensuring risk areas are not missed
  • Benchmarking against other sections within the organisation or external experiences
3.4 Specific events

As well as underlying conditions, specific events can lead to the crystallisation of risks that could impact on implementation of strategy or achievement of objectives. Event analysis includes identification of:

  • External events. These could be economic changes, political developments or technological advances.
  • Internal events. These could be equipment problems, human error or difficulties with products.
  • Leading event indicators. By monitoring data correlated to events, organisations identify the existence of conditions that could give rise to an event, for example customers who have balances outstanding beyond a certain length of time being very likely to default on those balances.
  • Trends and root causes. Once these have been identified, management may find that assessment and treatment of causes is a more effective solution than acting on individual events once they occur.
  • Escalation triggers, certain events happening or levels being reached that require immediate action. It will be important to identify and respond to signs of danger as soon as they arise. For example, quick responses to product failure may be vital in ensuring that lost sales and threats to reputation are minimised.
  • Event interdependencies, identifying how one event can trigger another and how events can occur concurrently. For example, a decision to defer investment in an improved distribution system might mean that downtime increases and operating costs go up.

Once events have been identified, they can be classified horizontally across the whole organisation and vertically within operating units. By doing this, management can gain a better understanding of the interrelationships between events, gaining enhanced information as a basis for risk assessment.

3.5 Acceptable risks

In common with other aspects of risk assessment and management, risk identification procedures will have costs and require time and resources. Risk identification may therefore be influenced not by a desire to identify all risks, but rather by a focus on identifying unacceptable risks. We shall discuss later in this Text why organisations may accept some risks, and try to follow the ALARP principle (as low as reasonably practicable) when dealing with others.



Early warnings in the supply chain

When Edscha, a German manufacturer of sun roofs, door hinges and other car parts, filed for insolvency last month, it presented BMW with a crisis. The luxury carmaker was about to introduce its new Z4 convertible – and Edscha supplied its roof. ‘We had no choice to go to another supplier, as that would have taken six months and we don’t have that. We had to help Edscha and try and stabilise it,’ BMW says. Today, Edscha is still trading, thanks to the support offered by its leading clients. Nevertheless, BMW remains so worried about disruption to its supply chain that it has increased staff numbers in its risk monitoring department looking only at components-makers.

Richard Milne, Financial Times, 24 March 2009


Risk management techniques can be applied in any type of organisation, although they are more commonly associated with large companies. If you were involved in the management of a school for children between the ages of 11-16/18, what might be some of the risks that you would need to consider and adopt a policy for managing?


In no particular order a list of risks to be assessed might include:

  • The risk of failing to attract sufficient numbers of students
  • The risk of poor examination results
  • The risk of inadequate numbers of students going on to higher education
  • The risk of focusing too much on academic subjects, and ignoring broader aspects of education
  • Physical security: risks to students, teachers and school property
  • The risk of theft of individuals’ property
  • Inability to recruit sufficient teachers
  • Not having enough money to spend on essential or desirable items
  • The risk of an adverse report from school inspectors


Chapter Roundup


Strategic risks are risks that relate to the fundamental decisions that the directors take about the future of the organisation.

Operational risks relate to matters that can go wrong on a day-to-day basis while the organisation is carrying out its business.

Risks can be classified in various ways, including financial, product, legal, IT, operational, fraud and reputation.
Risk identification involves looking at the specific events and conditions that could result in risks materialising.

Quick Quiz

1        Which of the following would not normally be classified as a strategic risk?

  • The risk that a new product will fail to find a large enough market
  • The risk of competitors moving their production to a different country and being able to cut costs and halve sale prices as a result
  • The risk that a senior manager with lots of experience will be recruited by a competitor D    The risk of resource depletion meaning that new sources of raw materials will have to be found  2       List three business risks that are associated with the internet.
  • What are the main signs of fraud identified by SAS 110?
  • The level of reputation risk depends significantly on the level of other risks.



  • What does event analysis aim to identify?
  • What is a leading event indicator?
    • An event which requires immediate action
    • Conditions that could give rise to an event and a risk crystallising
    • One event triggering another
    • The root cause of an event 7           Fill in the blank:

…… risk is the risk of unethical behaviour by one or more participants in a particular process.

8       Give three examples of items that could be subject to market risk.

Answers to Quick Quiz

  • C The risk that a senior manager with lots of experience will be recruited by a competitor would normally be classified as an operational risk.
  • Any three of:
    • Hackers accessing the internal network
    • Staff downloading viruses
    • Staff downloading inaccurate information
    • Information being intercepted
    • The communication link breaking down or distorting data
  •  Previous experience or incidents that call into question the integrity or competence of management
    • Particular financial reporting pressures within an entity
    • Weaknesses in the design and operation of the accounting and internal control systems
    • Unusual transactions or trends
    • Problems in obtaining sufficient audit evidence
    • Information systems factors
  • True, although the threat to reputation also depends on how likely it is that the organisation will suffer bad publicity if risks in other areas materialise.
5                   External events         Leading event indicators
                     Internal events            Trends and root causes
                     Escalation triggers         Event interdependencies
  • B Conditions that could give rise to an event and a risk crystallising
  • Probity
  • Any three of:
    • Stock/shares
    • Bond
    • Loan
    • Foreign exchange
    • Commodity



Number Level Marks Time
Q6 Examination 20 39 mins


07 Risk assessment and response

Study guide

    Intellectual level
B1 Management control systems in corporate governance  
(a) Define and explain internal management control. 2
(b) Explain and explore the importance of internal control and risk management in corporate governance. 3
(e) Identify and assess the importance of elements or components of internal control systems. 3
B2 Internal control, audit and compliance in corporate governance  
(e) Explore and evaluate the effectiveness of internal control systems. 3
B3 Internal control and reporting   
(c) Explain and assess how internal controls underpin and provide information for accurate financial reporting. 3
C1 Risk and the risk management process   
(c) Explain the dynamic nature of risk assessment. 2
(d) Explain the importance and nature of management responses to changing risk assessments. 2
(e) Explain risk appetite and how this affects risk policy. 2
C3 Identification, assessment and measurement of risk  
(b) Explain and analyse the concepts of assessing the severity and probability of risk events. 2
(f) Explain and assess the ALARP (as low as reasonably practicable) principle in risk assessment and how this relates to severity and probability. 3
(g) Evaluate the difficulties of risk perception including the concepts of objective and subjective risk perception. 3
(h) Explain and evaluate the concepts of related and correlated risk factors. 3
D2 Methods of controlling and reducing risks  
(d) Explain and analyse the concepts of spreading and diversifying risk and when this would be appropriate. 2
(e) Identify and assess how business organisations use policies and techniques to mitigate various types of business and financial risks. 3
D3 Risk avoidance, retention and modelling  
(a) Explain, and assess the importance of, risk transference, avoidance, reduction and acceptance. 2

Exam guide

You may well be asked when different methods of dealing with risk might be appropriate. 

                                    1 Risk assessment                                6/10, 6/13

Risk assessment involves analysing, profiling and consolidating risks.


1.1 Assessing the effects of risks

It is not always simple to forecast the financial effects of a risk materialising, as it is not until after the event has occurred that all the costs – the extra expenses, inconveniences and loss of time – can be seen.



If your car is stolen, for example, and found converted to a heap of scrap metal, in addition to the cost of replacing it you can expect to pay for some quite unexpected items.

  • Fares home, and to and from work until you have a replacement
  • Telephone calls to the police, your family, your employer, and others affected
  • Movement and disposal of the wrecked car
  • Increased grocery bills from having to use corner shops instead of a distant supermarket
  • Notifications to the licensing authority that you are no longer the owner
  • Work you must turn down because you have no car
  • Lease charges on the new car because you have insufficient funds to buy one
  • Your time (which is difficult to value) These are all hazards.


                                    1.1.1 Risk assessment and dynamics                                          6/11

As well as deciding how to assess risks, organisations also need to decide how often assessment should take place. This will depend on how dynamic the environment is within which they operate, and how changes in that environment could result in significant and sudden changes in risks, which will in turn mean that the ways they are managed will change. Maybe the methods used to mitigate risks will alter, perhaps the priorities given to dealing with particular risks will change.

In some environments, risks will change very little, but in others risks will change a great deal and change quickly. The continuum below shows the two extremes and the variable state between them. On the left no risks ever change. On the right all risks are changing all the time. The two extremes don’t exist in reality but situations close to them do exist.

Some changes in the environment will arise from the strategic decisions businesses make, for example launching a new product, penetrating a new market or significantly changing their financial structure. Here the need for accurate risk assessment to support the strategic decisions may seem obvious, but there will also be changes in risk assessment once the strategy is launched to monitor the risks resulting from the new strategy.

Other significant changes to risks may arise from the decisions taken by other participants in the industry in which the business operates, in particular decisions by competitors, suppliers and customers.

In other instances businesses may face changes in risks that they do not themselves influence, but are a result of external forces acting on their environment. Factors that may result in significant rapid changes in risks may include the following.

  • Sectors where developments in new technology can quickly and significantly benefit innovators.
  • Businesses may be dependent on sources of raw materials that are increasingly uncertain.
  • Businesses selling goods in markets where fashion is a significant influence on consumer demand.
  • Sellers of non-essential goods or services to consumers being particularly vulnerable to adverse swings in the business cycle or even short-term losses of confidence caused by stock market volatility, such as was seen worldwide during the summer of 2011.  
  • Businesses operating in unstable political environments or facing major changes in legislation.

Internal risks may alter quickly too. If for example the business is dependent on a few staff, loss of these staff may significantly increase the risk of errors occurring or loss of business to competitors if these staff join rivals.

1.1.2 Risk quantification

Risks that require more analysis can be quantified in various ways, which you have covered in previous exams.

IMPORTANT!          The examiner has stated that they are introducing the possibility of bringing in some simple arithmetic calculations from the June 2011 exam.

‘Students should not expect complicated calculations but should be prepared to manipulate numerical data and accordingly, a calculator may be helpful in future P1 exams.’

The examiner has clarified that they would not introduce any new techniques that haven’t been covered in previous papers, particularly F9. However, as well as requiring calculations, they might require students to assess quantitative information in a general sense in scenarios, such as an extract of a financial report, selected financial ratios or trends to assess risk and other aspects relating to financial gearing, operating gearing and liquidity.

Organisations can calculate possible results or losses and probabilities and add on distributions or confidence limits. They can ascertain certain key figures.

  • Average or expected result or loss (discussed below)
  • Frequency of losses
  • Chances of losses
  • Largest predictable loss
1.1.3 Risk rating

A simple risk rating may be based on a probability, for example the risk has a 60% chance of materialising. Impacts can be measured using objective amounts or rated, perhaps on a scale of 1-100.

Exam focus      Simple ratings were used in June 2010 Question 1, which was about the risks associated with a nuclear point   power station.

The reasonableness of the ratings was one issue, particularly as the assessments had been made by an anti-nuclear group. A second issue was an issue that may well recur in the P1 exam; what to do when the impact of a risk materialising is potentially catastrophic but the probability of it happening is low.

1.1.4 Sensitivity analysis

Sensitivity analysis was covered in F9 in the context of capital investment.

The basic approach of sensitivity analysis is to calculate under alternative assumptions how sensitive the outcome is to changing conditions. An indication is thus provided of those variables to which the calculation is most sensitive (critical variables) and the extent to which those variables may change before the decision based on the results of that calculation changes (generally the point at which the project moves from a positive to negative outcome or vice versa).

Management should review critical variables to assess whether or not there is a strong possibility of events occurring which will lead to a different decision. Management should also pay particular attention to controlling those variables to which the calculation is particularly sensitive, once the decision has been made.

Sensitivity analysis has a number of weaknesses.

  • Changes in each key variable need to be isolated. However, management is more interested in the combination of the effects of changes in two or more key variables.
  • Looking at factors in isolation is unrealistic since they are often interdependent. The same risks may influence a number of variables in the calculation.
  • Sensitivity analysis does not examine the probability that any particular variation in costs or revenues might occur. The probability of a loss will be a key factor in management decisionmaking.
  • In itself sensitivity analysis does not provide a decision rule. Managers’ risk appetite will influence whether the variation required to change a positive outcome is considered too small to take the risk of a negative outcome.
1.1.5 Expected values

You will remember that expected values are a means of calculating the average outcome. Where probabilities are assigned to different outcomes, the decision can be evaluated on the basis of weighting the different outcomes.

If a decision-maker is faced with a number of alternative decisions, each with a range of possible outcomes, a simple decision rule would be to choose the one which gives the highest expected value.

However, this decision rule has two significant problems. Firstly the expected value may not be a possible actual outcome or anything near an actual outcome.

Secondly the decision rule does not take into account the range of possible outcomes. Managers may reject a project with a high expected value if they believe that the probability of that project making a loss is too great or the maximum possible loss is too large. Expected values take no account of the risk versus return considerations.

Therefore, when expected values are used in practice, it is often as part of a two-stage process that takes risk into account as well.

Step 1 Calculate an expected value.
Step 2 Measure risk, for example in the following ways.
  • By identifying the worst possible outcome and its probability
  • By calculating the probability that the project will fail to achieve a positive result
  • By calculating the standard deviation of the result
  • By identifying the most likely possible outcome (remembering that the expected value may not be a possible outcome)
In the exam you may be given data about different investments where the data available gives contrary indications. For example, one investment may have a higher expected value, but also a higher chance of making a loss than the other investments, or a much bigger loss in its worst-case scenario. If you are analysing the situation, remember that you cannot just go by the numbers but must also bring in other information in the scenario, such as risk appetite of management, attitude to risk of shareholders, and potential threat to the business if the worst possible outcome occurs.

Exam focus point

1.1.6 Accounting ratios

You covered the use of accounting ratios to analyse financial statements in F7. Accounting ratios that are likely to be significant in this paper are as follows.


Debt ratio =  × 100%

Total assets

Although 50% is a helpful benchmark, many companies operate with a higher debt ratio. As with other ratios, the trend over time is as important as actual figures.

Stakeholder reaction to the debt ratio will be important. If the debt ratio appears heavy, finance providers may be unwilling to advance further funds. Shareholders may be unhappy with an excessive interest burden that threatens dividends and the value (perhaps the existence) of their long-term investment in the company.

Interest bearing debt

Gearing =  × 100%

Shareholders’equityinterest bearing debt

Again a gearing ratio of more than 50% can be used as a benchmark, but many companies are more highly geared than that. However, there is likely to be a point when a high geared company has difficulty borrowing more unless it can also boost its shareholders’ capital, either with retained profits or by a new share issue. This emphasises the significance of shareholder reaction. Shareholders may not wish to have their dividends threatened by an excessive interest burden, but likewise they may be unwilling to see dividends fall as the company attempts to build up its equity base. They may also be unwilling (or unable) to provide extra equity funding.

Profit before interest and tax

Interest cover =

Interest charges

The interest cover ratio shows whether a company is making enough profits before interest and tax to pay its interest costs comfortably, or whether its interest costs are so high that a fall in PBIT would have a significant effect on profits available for ordinary shareholders.

An interest cover of three times or less is generally considered as worryingly low.

Net cash inflow

Cash flow ratio =

Total debts

A low figure for the cash flow ratio may not be a particular concern if the majority of debt is due to be repaid a long time ahead. Shareholders and finance providers will be more concerned about the company’s ability to meet its shorter-term loans, and the risks that could threaten the cash inflows required to repay amounts owed.

Current assets

Current ratio =

Current liabilities

The current ratio is a key indicator of liquidity, the amount of cash available to a company to settle its debts quickly.

A company should have enough current assets that give a promise of ‘cash to come’ to meet its current liabilities. Although a ratio in excess of 1 may be expected, in many industries businesses operate without problems with ratios below 1.

Current assets less inventory

Quick ratio =

Current liabilities

The quick ratio reflects the fact that some companies may not be able to convert inventory into cash quickly. Inventory is not a very liquid asset and so can distort the current ratio if that is used to assess liquidity. The quick ratio, or acid test ratio, should ideally be at least 1 for companies with a slow inventory turnover. For companies with a fast inventory turnover, a quick ratio can be comfortably less than 1 without suggesting that the company could be in cash flow trouble.

As well as calculating these ratios, you should consider whether there are other obvious signs of risk in the figures you have been given.

  • Changes in revenues. A business may not have the infrastructure to cope with rapid increases in demand. A fall in revenues may indicate longer-term threats to existence.
  • Changes in costs. A large increase in costs may indicate the business is becoming unprofitable or is not being controlled well. A fall in costs could indicate better control. However, it could alternatively indicate that the business is providing less value to customers or is cutting down on expenditure in risky areas, such as health and safety.
  • Increases in receivables or inventories. Increases may indicate poor control and a risk of not realising these assets. Decreased revenue and increased inventory together may be a strong indicator of commercial problems.
  • Increase in short-term creditors. This could imply a risky dependence on finance that has to be repaid soon.
  • Loan finance that has to be repaid in the next 12-24 months. Here the key risk is whether the business has the cash to make the repayment without a serious impact on its operations.
                                   1.2 Likelihood/Consequences matrix                    6/09, 6/11

This stage involves using the results of a risk analysis to group risks into risk families. One way of doing this is a likelihood/consequences matrix.

Consequences (Impacts or hazard)

                              Low                                                                          High

                  Low                       Accept                                           Transfer

continuums on which risks are plotted. The nearer the risk is towards the bottom right-hand corner (the high-high corner), the more important and the more strategic the risk will be. The position of risks can vary over time as environmental conditions vary. The diagram is very similar to Mendelow’s stakeholder map covered in Chapter 1, and in that map as well the position of stakeholders can move over time.

This profile can then be used to set priorities for risk mitigation.

The diagram also includes the four basic risk management strategies which we shall discuss below.



CIMA’s Guide to risk management provides a list of factors that can help determine in which section of the quadrant the risk is located.

  • The importance of the strategic objective to which the risk relates
  • The type of risk and whether it represents an opportunity or a threat
  • The direct and indirect impact of the risk
  • The likelihood of the risk
  • The cost of different responses to the risk
  • The organisation’s environment
  • Constraints within the organisation
  • The organisation’s ability to respond to events


                                    1.2.1 Objective and subjective risk perception                         12/11

CIMA’s list highlights a significant problem with the matrix, the issue of measurability. The matrix rests on the assumption that both hazard and risk can be quantified or at least ranked. In some instances the assessment can be made with a high degree of certainty, maybe even scientific accuracy. In these circumstances the risks can be objectively assessed.

In other instances however quantitative accuracy is not possible and the risks have to be subjectively assessed. How accurate these judgements are will depend on the knowledge and skills of the person making the judgement, the information available and the factors that may influence the risk levels. Some risks may depend on so many factors that only a subjective assessment is possible. However, judgements may be biased by the possible consequences of the risks, with the likelihood of potentially high impact risks being overrated.

An example of a risk, the likelihood of which can be objectively measured, is the next outcome of tossing a coin. A risk, the impact of which can be objectively measured, is the number of shareholders affected by a loss of company value. A risk with a subjective likelihood is the risk of an accident occurring, and a risk with a subjective impact is the possible financial loss from a spillage from a factory.



The 2009 Turner report highlighted faulty measurement techniques as a reason why many UK financial institutions underestimated their risk position. The required capital for their trading activities was excessively light. Turner also highlighted the rapid growth of off-balance sheet vehicles that were highly leveraged but were not included in standard risk measures. However, the crisis demonstrated the economic risks of these vehicles, with liquidity commitments and reputational concerns requiring banks to take the assets back onto their balance sheets, increasing measured leverage significantly.

Turner also saw the complexity of the techniques as being a problem in itself. ‘The very complexity of the mathematics used to measure and manage risk made it increasingly difficult for top management and boards to assess and exercise judgements over risks being taken. Mathematical sophistication ended up not containing risk, but providing false assurance that other prima facie indicators of increasing risk (eg rapid credit extension and balance sheet growth) could be safely ignored.’


1.3 Risk consolidation

Risk that has been analysed and quantified at the divisional or subsidiary level needs to be aggregated to the corporate level and grouped into categories (categorisation). This aggregation will be required as part of the overall review of risk that the board needs to undertake which we shall look at in more detail in later chapters.



A CIMA research paper on Reporting and Managing Risk explained that RBS was another business that appeared to have strong risk management systems in many ways, but still ran into problems. Its risk management function was well staffed and internal audit checked the application of controls. The board defined overall risk appetite, and named senior managers were responsible for overseeing high-level risks. The chief risk officer prior to 2007 appeared to have a good understanding that his role included enforcement and promotion of good practice. The system for defining and categorising risk was logical and the risk register was continually updated.

However, in 2007 there were two changes of chief risk officer in quick succession. As the risk management committees operated below board level, the extent of their influence on the board, particularly the dominant chief executive, was limited. Some of the models used may have underestimated exposure to credit risks. There appears to have been too much trust placed in the calculations of some of the complex models, and not enough judgement exercised on their results. Above all, the stage of risk consolidation was not applied properly and so risks that applied across the business were not adequately managed. Divisional managers took risks that appeared to be appropriately managed at a divisional level, but were not well managed at a group level.


1.3.1 Related and correlated risks

One significant part of the risk consolidation process may be to analyse risks that are not independent of each other.

Correlation of risks is also important when considering the costs and benefits of risk management. Major expenditure on controls may reduce risks, but it could increase financial risks such as running short of funds or not being able to make profitable investments.

The examiner may well draw your attention to related risks, but watch out for them anyway in exam scenarios.

Exam focus point

1.3.2 Relationship between business and financial risk

Business risk is borne by both the firm’s equity holders and providers of debt, as it is the risk associated with investing in the firm in whatever capacity. The only way that either party can get rid of the business risk is to withdraw its investment in the firm.

Financial risk, on the other hand, is borne entirely by equity holders. This is due to the fact that payment to debt holders (ie interest) takes precedence over dividends to shareholders. The more debt there is in the firm’s capital structure, the greater the financial risk to equity holders, as the increased interest burden coming out of earnings reduces the likelihood that there will be sufficient funds remaining from which to pay a dividend. Debt holders however know there is a legal obligation on the firm to meet their interest commitments.



Mazda conducts tests for every conceivable impact possible on the road.

Mazda also conducts environmental risk assessments to minimise risks and prevent pollution and other incidents. Its assessments are based on environmental monitoring that tracks levels of air and water pollution.


                                    1.4 Importance of accurate risk assessment                 6/10

As we shall see in the next section, the assessment of risks will determine the risk mitigation or risk management strategy employed. There are therefore a number of risks associated with incorrect risk assessment, and these are likely to be higher the more subjective the risk assessment is.

  • If the assessment process underestimates the importance of the risks, risk management procedures may be inadequate. The risks may then materialise and the company may not only have

to bear the losses arising from the risks crystallising but also suffer opportunity cost for expenditure on risk management that turns out to be ineffective.

  • If the importance of risks is exaggerated by the risk assessment process, then excessive measures may be taken to manage these risks. These may involve unnecessary costs and inefficient resource allocation, and mean that the business is unable to take advantage of profitable opportunities.

In addition, a number of stakeholders may be concerned with the adequacy of the risk assessment process. If they are dissatisfied, this may impact on the company.

  • Governments and legislators require risk assessment in a number of areas. The EU requires companies to carry out risk assessment in health and safety, product liability and finance.
  • Insurance companies require active assessment and management of risks.
  • Companies often want to pass legal responsibilities to their suppliers and also look for evidence of active risk management by their suppliers.
  • Public expectations that companies will take steps to identify and manage risks such as pollution and fraud have risen.

Accurate risk assessment has two aspects:

  • Making sure the assessment covers all relevant risks; the process should not be limited only to those risks that the organisation can control
  • Ensuring the severity and frequency of risks are fairly assessed

It involves gathering information from as many sources as possible on a regular basis, and circulating that information.



COSO’s guidance for smaller companies on controls over financial reporting stresses the need for risk assessment to focus on risks linked with key financial reporting objectives. The organisation should identify ‘trigger events’ that could lead to reassessment of risks. To do this, finance personnel need to be aware of what is going on within the organisation and to meet with executive management to identify new initiatives, commitments and activities affecting financial reporting risks.

The guidance discusses fraud in some detail. It is concerned not only with the impact of fraud on financial statements but also with whether financial reporting issues could motivate individuals to commit fraud. Meeting or not meeting financial reporting targets may have a significant impact on job prospects and the business needs to be aware of the impact of this on motivation.


Being able to demonstrate that you have made sound assessments of risks where you work is an           important part of fulfilling performance objective 4 of your PER.

2 Risk response strategies

                                    2.1 Dealing with risk                      12/07, 12/08, 6/11, 6/15

Methods for dealing with risk include risk avoidance, risk reduction, risk acceptance and risk transference.

In the rest of the chapter we shall consider risk portfolio management, the various ways in which organisations can try to mitigate risks or indeed consider whether it will be worthwhile for them to accept risks.

Risk management strategies can be linked into the likelihood/consequences matrix, discussed earlier.

 Consequences (hazard)

   Low                                                    High


Risks are not significant. Keep under view, but costs of dealing with risks unlikely to be worth the benefits.


Insure risk or implement contingency plans. Reduction of severity of risk will minimise insurance premiums.


Take some action, eg selfinsurance to deal with frequency of losses.


Take immediate action to reduce severity and frequency of losses, eg charging higher prices to customers or ultimately abandoning activities.




This diagram is worth committing to memory as the examiner sees this as a vital framework. The mnemonic is TARA (Transfer, Avoid, Reduce, Accept).
Exam focus point
2.1.1 Controllable and uncontrollable

How controllable risks are considered to be is likely to be an important influence on management strategies. Risks that are largely uncontrollable may not be tackled effectively by risk reduction measures, so the choice may be between accepting the risk and avoiding the activity that causes the risk.

2.1.2 Stop and go

When deciding on the best risk management strategy, organisations will be mindful of the returns they can make. Boards should consider the factors that determine shareholder valuations of the company, the risks associated with these and the ways in which shareholders would like risks to be managed.

They will not only consider the potential losses through inadequate management of risk, but also the potential loss in possible revenues caused by an overcautious risk management strategy.

Two types of error are Stop and Go errors.

  • Stop errors

Stop errors are where activities are abandoned as too high-risk that would have produced returns that were higher than the costs incurred. The error was to stop the activity rather than go ahead with it.

  • Go errors

Go errors are where activities are pursued and risks are retained, the risks crystallise and costs are incurred that are greater than expected revenues. The error was to go ahead with the activity rather than to abandon it or drop it.

Boards therefore should not just focus on preventing negative risks from materialising but should also manage speculative risks and opportunities in order to maximise positive outcomes and therefore shareholder value.

2.1.3 Risk appetite

Decisions on risk management will not only depend on assessment of possible returns but, as we have seen, on managers’ appetite for taking risks. Some types of organisation, for example charities or public sector, will seek to avoid certain risks. Other organisations may seek to reduce the same risks. This will mean that the organisations avoiding the risks will not incur the potentially substantial costs of risk reduction.

                                    2.1.4 The ALARP principle                                                          12/11

In many businesses the focus will be on reducing most of the significant risks rather than eliminating them. This raises the issue of the extent to which managers will seek to reduce risks. The general principle is that the higher the level of risk, the less acceptable it is.

However, many risks cannot be avoided. Many businesses undertake hazardous activities where there is a risk of injury or loss of life (for example on an oil rig, factory or farm). These risks cannot be avoided completely but instead have to be reduced to an acceptable level by incurring the costs of risk mitigation – installing protective shielding, issuing safety equipment like hats or protective glasses. The level of risk mitigation is a trade off between cost and the assessment derived from the risk’s likelihood and impact.

Businesses will also of course need to comply with the law. However, some legislation or guidance recognises that precautions need to be practicable, for example the UK Health and Safety Executive’s guidance which acknowledges that measures are not required if the sacrifice involved in those measures is grossly disproportionate to the risks.

Judgement will be involved in deciding what level of risk is as low as reasonably practicable (ALARP). It may be that new control systems could reduce risks further, but they are judged to be far too expensive. The level of risk considered as low as reasonably practicable may well be a compromise.

ALARP will often be a very important issue when risk management is examined.

Exam focus point

2.1.5 Impact of dynamic environment

We discussed in Chapter 5 the factors that can result in changes in the environment within which the business operates.

As indicated above, businesses facing more dynamic environments are likely to have to carry out frequent risk assessments of risks that can change suddenly and significantly. It will be important for the results of the assessments to be reported quickly to management. Reporting of high-impact likelihood risks may occur daily; other risks may be reported monthly or quarterly.

Managers will of course need to respond to these assessments and devote enough time to delivering effective risk management strategies. Businesses’ response to higher-level strategic risks will depend on the speed of management decision-making; that is, how quickly the board can change strategies in the light of altered circumstances. Having an appropriate combination of short- and long-term strategies may also be important. For example, shortages in raw materials may have to be met in the short term by contingency planning and use of other supply sources. In the longer term the business may redefine production processes, to reduce or eliminate dependence on the vulnerable resource.

Changes in risks may mean that policies for dealing with specific risks also need to change. For example a business may decide to avoid moving production facilities to an otherwise convenient location if that location is liable to frequent flooding. Improved flood defences may reduce the likelihood and consequences associated with the risk, and the business may therefore move there while taking steps to reduce risks (contingency plans) and transfer risks (the reduced risks may mean that insurance will be available).

Alternatively if a risk is still judged to be located in the risk reduction sector of the quadrant, but has moved towards the centre as likelihood and consequences increase, greater resources may be needed to manage that risk and resources therefore have to be moved away from managing other risks.

Overall, businesses operating in environments where risks are complex and likely to change suddenly are more likely to have to invest in complex risk assessment and management systems. A key feature of these systems will be flexibility. The Turnbull report highlighted the need for systems to be capable of responding quickly to evolving risks in the business arising from internal and external changes. 2.1.6 Residual risk 

Residual risk is the risk remaining after actions have been taken to manage risks.

Key term

The level of residual risk indicates how far the business believes that risks can be reduced. As part of their regular review of risks, managers should compare residual risks with gross risks, the assessment of risks before the application of controls or management responses. This comparison will show how effective responses to risk have been.



The impact of the oil spill in the Gulf of Mexico on BP was a significant news story in much of 2010. On 3 August 2010 the US Government stated that the oil spill in the Gulf of Mexico was officially the biggest leak ever, with an estimated 4.9 million barrels of oil leaked before the well was capped in July 2010. The consequences of the spill included the departure of BP’s chief executive, Tony Hayward. BP created a compensation fund of $20bn and had paid out a further $8bn in the clean-up campaign by the end of 2010.

The results of BP’s own internal investigation were published in September 2010. It blamed a ‘sequence of failures involving a number of different parties’; that is, BP and two other companies working on the well, although both of the other companies criticised this report. Problems highlighted by the BP report included ‘a complex and interlinked series of mechanical failures, human judgements, engineering design, operational implementation and team interfaces.’

Critics have pointed to other operational problems BP has had, from the explosion at its Texas City refinery to the temporary shutdown at Prudhoe Bay. CNN news quoted an employee who had worked at both locations as saying that no one should be surprised by the 2010 disaster: ‘The mantra was “Can we cut costs by 10%.”‘ Transocean, one of the other companies criticised in BP’s September 2010 report, also blamed BP for cost cutting. Transocean was quoted by Associated Press as commenting: ‘In both its design and construction BP made a series of cost-saving decisions that increased risk – in some cases severely.’

The US Commission that reported on BP in January 2011 found that BP did not have adequate controls in place, and that its failures were systemic and likely to recur. The report apportioned blame between the various companies involved, although it emphasised that BP had overall responsibility. The report highlighted failures of management of decision-making processes, lack of communication and training and failure to integrate the cultures and procedures of the different companies involved in the drilling.

The report drew attention to the failure of BP’s engineering team to conduct a formal, disciplined analysis of the risk factors on the prospects for a successful cement job and also the failure to address risks created by late changes to well design and procedures. The report highlighted the flawed design for the cement used to seal the bottom of the well, that the test of the seal was judged successful despite identifying problems and the workers’ failure to recognise the first signs of the impending blowout. The commission found that decisions were taken to choose less costly alternative procedures. These were not subject to strict scrutiny that required rigorous analysis and proof that they were as safe as the more expensive regular procedures.

The report also blamed inadequate government oversight and regulation, with the agency responsible lacking staff who were able to provide effective oversight. Many aspects of control over drilling operations were left to the oil industry to decide. There were no industry requirements for the test that was misinterpreted, nor for testing the cement that was essential for well stability. When BP contacted the agency to ask for a permit to set the plug so deep in the well, the agency made the same mistake as BP, focusing on the engineering review of the well design and paying far less attention to the decisions regarding procedures during the drilling of the well.

However, on the basis of what BP has published, its risk management approach did not appear to differ greatly from other oil companies and from many other large organisations across the globe. For example BP had sophisticated risk assessment processes in place. In 2007 it completed 50 major accident risk assessments. BP’s monitoring procedures included the work carried out by the safety, ethics and environment assurance committee. The committee’s work encompassed all non-financial risks. BP’s systems also received external backing. Accreditations BP held included ISO 14001 at major operating sites, reporting to GRI A+ standard and assurance by Ernst & Young to AA100AS principles of inclusivity, materiality and responsiveness.

It’s possible that BP relied on generally accepted risk management practices which may have become less effective over time.


2.2 Avoidance of risk

Organisations will often consider whether risk can be avoided and if so whether avoidance is desirable. That is, will the possible savings from losses avoided be greater than the advantages that can be gained by not taking any measures, and running the risk?

An extreme form of business risk avoidance is termination of operations, for example operations in politically volatile countries where the risks of loss (including loss of life) are considered to be too great or the costs of security are considered to be too high.

                                    2.3 Reduction of risk                                                             6/15

Often risks can be avoided in part, or reduced, but not avoided altogether. This is true of many business risks, where the risks of launching a new product can be reduced by market research, advertising, and so on.



What measures could you take to reduce the risk that suppliers do not deliver supplies of the required quality or do not deliver on time?



Measures might include:

  • Getting references from the suppliers’ other customers
  • Setting standards for quality and delivery time and monitoring suppliers’ delivery performance against those standards (eventually eliminating those who are consistently unreliable)
  • Developing good relationships with suppliers
  • Ensuring that suppliers have all the information they need
  • Insisting that suppliers are ISO 9001 certified
  • Regularly scanning the market for new suppliers

You may have had other ideas. The point is that ‘risk reduction’ techniques are simply a matter of good management. If you mentioned methods such as imposing penalties for poor performance or incentives for good performance that’s fine, but such approaches are really risk sharing.


2.3.1 Policies and techniques

One important distinction in risk reduction is between risk management policies and techniques. This distinction refers to the way risk management operates at different levels in an organisation.

  • Risk policies are agreed at very senior levels of the organisation, by the board, risk committee or risk manager. They may be directed at particular risks.
  • Risk mitigation techniques will be the means of implementing the policies, applied at various levels in the organisation by operational managers and staff, guided by the risk management function.

Other risk reduction measures include contingency planning and loss control.

2.3.2 Contingency planning

Contingency planning involves identifying the post-loss needs of the business, drawing up plans in advance and reviewing them regularly to take account of changes in the business. The process has three basic constituents.

Information How, for example, do you turn off the sprinklers once the fire is extinguished? All the information that will need to be available during and after the event should be gathered in advance. This will include names and addresses of staff, details of suppliers of machinery, waste disposal firms, and so on. The information should be kept up to date and circulated so that it will be readily available to anyone who might need it.
Responsibilities The plan should lay down what is to be done by whom. Duties should be delegated as appropriate. Deputies should be nominated to take account of holidays and sickness. Those who hold responsibilities should be aware of what they are, how they have changed, who will help them, and so on.
Practice Unless the plan has been tested there is no guarantee that it will work. A full-scale test may not always be possible. Simulations, however, should be as realistic as possible and should be taken seriously by all involved. The results of any testing should be monitored so that amendments can be made to the plan as necessary.



Although the response to the threat of the millennium bug in the year 2000 is now often dismissed as something of an over the top embarrassment, it does appear to have changed attitudes towards business continuity planning for low likelihood-high consequences risks. It meant that organisations now think more broadly about the possibility of threats like sabotage and consider how their business interacts with customers and suppliers. The year 2000 threat also meant that organisations updated technology and systems applications to more current technology and introduced uninterrupted power supply.


2.3.3 Loss control

Control of losses also requires careful advance planning. There are two main aspects to good loss control: the physical and the psychological.

  • There are many physical devices that can be installed to minimise losses when harmful events actually occur. Sprinklers, fire extinguishers, escape stairways, burglar alarms and machine guards are obvious examples.

However, it is not enough to install such devices. They will need to be inspected and maintained regularly, and back-up measures will be needed for times when they are inoperational. Their adequacy and appropriateness in the light of changes to the business also needs to be kept under constant review.

  • The key psychological factors are awareness and commitment. Every person in the business should be made aware that losses are possible and that they can be controlled. Commitment to loss control can be achieved by making individual managers accountable for the losses under their control. Staff should be encouraged to draw attention to any aspects of their job that make losses possible.
                                    2.3.4 Diversification of risks                                                      12/12

Risk diversification is designed to spread risk and return. Risk diversification involves creating a portfolio of different risks based on a number of events, some of which will turn out well and others will turn out badly. The average outcome will be neutral. What an organisation has to do is to avoid having all its risks positively correlated, which means that everything will turn out extremely well or extremely badly. Ideally returns from different businesses should be negatively correlated as far as possible.

Diversification can be used to manage risks in a variety of ways:

  • Having a mix of higher and lower risk investments, products, markets and geographical locations; the exact mix will depend on risk appetite
  • Having a mix of equity and debt finance, of short- and long-term debt, and of fixed- and variableinterest debt
  • Having a diversified structure, for example separate divisions or subsidiaries
  • Expanding through the supply chain by forward or backward integration

However, except where restrictions apply to direct investment, investors can probably reduce investment risk more efficiently than companies, as they may have a wider range of investment opportunities.

Diversification may also be difficult for companies to achieve for a number of reasons:

  • Their product portfolio may be skewed towards products which are positively correlated. Many successful businesses achieve good results by specialising. Other businesses, if they diversify, do so into related areas.
  • The assets the business owns can only be used to produce specific products.
  • The business may lack the resources to adjust its portfolio.
  • Diversification may increase risks in certain ways. For example, businesses may lack the internal expertise to compete in too many diverse markets and managing a portfolio of unrelated operations may be very difficult.
2.3.5 Diversification and CAPM

The capital asset pricing model (CAPM), which you covered in Paper F9, provides helpful insights into, and methods of quantifying, business diversification.

  • CAPM draws the distinction between market or systematic risks that cannot be diversified away and non-systematic or unsystematic risks that can be reduced by diversification.
  • It highlights how to eliminate unsystematic risk by holding a balanced portfolio of investments and gives an indication of the extent of the portfolio required to eliminate unsystematic risk.
  • It provides a means of linking the systematic risk of a portfolio or an individual investment with the return required and therefore helps the business decide the extent of risks it is able to tolerate.
In the exam you may need to explain briefly the use of CAPM as a business tool. However, you will not be required to carry out any calculations using CAPM.

Exam focus point

2.3.6 International diversification

Many risks bear particularly heavily on companies that trade or invest extensively overseas. A business can reduce its exposure to risks internationally by diversification of its trading interests or portfolio of investments. International portfolio diversification can be very effective for the following reasons.

  • Different countries are often at different stages of the trade cycle at any one time.
  • Monetary, fiscal and exchange rate policies differ internationally.
  • Different countries have different endowments of natural resources and different industrial bases.
  • Potentially risky political events are likely to be localised within particular national or regional boundaries.
  • Securities markets in different countries differ considerably in the combination of risk and return that they offer.

However, there are a number of factors that may limit the potential for international diversification:

  • Legal restrictions exist in some markets, limiting ownership of securities by foreign investors (discussed below under political risk).
  • Foreign exchange regulations may prohibit international investment or make it more expensive.
  • Double taxation of income from foreign investment may deter investors.
  • There are likely to be higher information and transaction costs associated with investing in foreign securities.
  • Some types of investor may have a parochial home bias for domestic investment.
2.4 Acceptance of risks

Risk acceptance is where the organisation bears the risk itself and, if an unfavourable outcome occurs, it will suffer the full loss. Risk retention is inevitable to some extent. However good the organisation’s risk identification and assessment processes are, there will always be some unexpected risk. Other reasons for

risk retention are that the risk is considered to be insignificant or the cost of avoiding the risk is considered to be too great, set against the potential loss that could be incurred.

The decision of whether to retain or transfer risks depends first on whether there is anyone to transfer a risk to. The answer is more likely to be ‘no’ for an individual than for an organisation because:

  • Individuals have more small risks than do organisations and the administrative costs of transferring and carrying them can make the exercise impracticable for the insurer
  • The individual has smaller resources to find a carrier

As a last resort organisations usually have customers to pass their risks or losses to, up to a point, and individuals do not.

2.4.1 Self-insurance

An option sometimes associated with accepting risks is self-insurance. In contrast to non-insurance, which is effectively gritting one’s teeth and hoping for the best, self-insurance is putting aside funds of whatever size, in a lump or at intervals, in a reserve dedicated to defraying the expenses involved should a particular sort of loss happen.

A more sophisticated method of self-insurance is setting up a captive.

2.4.2 Captive insurance
A captive, or captive insurer, is an insurance company wholly owned by a commercial organisation, and usually dedicated solely to the underwriting of its parent company’s risks. Its primary purpose, therefore, is to be a vehicle for transfer of the parent company’s risks.

Key terms

An organisation with a risk that it cannot carry, which cannot find one or more insurers to take the bulk of that risk from it, may form a captive insurer to carry that risk. The captive insurer has all the parent’s experience of the risk to call on, so its premiums will not be unnecessarily large, and its policy terms will be reasonable.



Arunshire Council is the local government authority responsible for the running of public services in a district. The Council is responsible for the maintenance of the entire public infrastructure in its area of responsibility, including the roads and sewerage systems. The Council also manages education and care for vulnerable residents such as the elderly and infirm.

Employment law requires that every employer, including Arunshire Council, must maintain a register of all workplace injuries sustained by employees. There is no precise definition of a reportable injury, but Council guidelines indicate that anything that requires a dressing, such as a bandage or sticking plaster, must be reported as minor injuries. Injuries are classified as ‘serious’ if they require the victim to be absent from work for more than three days and ‘severe’ if they require admission to hospital or involve a fatality.

The latest injury statistics show that there were 130 injuries during the year ended 31 December 20X0, of which 25 were serious injuries and four were severe. The Council’s Operations Director is satisfied with these figures because the number of injuries is no worse than in previous years. He holds the view that such figures are to be expected given the diverse range of jobs, many of which are risky, throughout the Council. The Chief Executive of the Council does not share these views: they think that the Council should try to prevent all injuries by eliminating accidents in the workplace.


  • Discuss the Director of Operations’ view that it is impossible to prevent all workplace injuries.
  • Discuss the Chief Executive’s view that it is unacceptable for Arunshire Council to tolerate any

workplace injuries.                                                                                                



(a)       Points in favour of view

Human error

Even if Arunshire has strong risk management systems in place, they may still be undermined by human error. An isolated lapse in concentration could result in an accident.

Credible policies  

In order to minimise or eliminate risks, more onerous health and safety procedures may be introduced, including investigation of the factors that have led to injuries. However, staff may not take these procedures seriously if they feel they are impractical. Staff failing to operate onerous procedures properly may result in greater risk than staff operating less strict procedures effectively.

Points against view 


The director’s view appears to be complacent. The current injury statistics seem to be high. There is scope for reducing injuries towards zero, even if Arunshire can never prevent all injuries. Reduction measures

Practical measures can be taken to reduce injuries. Health and safety training can be improved. Arunshire can introduce requirements for staff performing certain tasks, for example lifting heavy objects.

Negligence claims      

The Director’s toleration of an ‘acceptable’ level of injuries may leave the council vulnerable to legal claims. Staff who have been injured could use the Director’s statements as evidence of a negligent attitude by senior management towards employee safety.

(b)       Points for

Consequences of breaches 

A strong argument in favour of zero tolerance is the consequences of accidents, possibly serious injury or death. Although a lapse may only have resulted in a minor injury on one occasion, the same lapse another time could have much more severe consequences.

Duty of council

However health and safety law is drafted, the Council has a clear moral duty to ensure its employees’ safety.

Safety culture 

Aiming towards eliminating injuries can help promote a strong culture of safety. If staff understand that there is no such thing as an acceptable level of injuries, they are unlikely to become complacent and will take steps to reduce the level of accidents further.

Points against  

Employee involvement in hazardous activities

The extent of the Council’s responsibilities make it inevitable that some staff will have to be involved in hazardous activities. This will mean that there will always be a risk of injuries occurring, even if it can be reduced to very small levels.


Some risk prevention procedures, for example requiring staff to wear cumbersome clothing, may be impractical. The costs and time taken to investigate minor problems may be excessive.


2.5 Transfer of risk

Alternatively, risks can be transferred – to other internal departments or externally to suppliers, customers or insurers. Risk transfer can even be to the state.

Decisions to transfer should not be made without careful checking to ensure that as many influencing factors as possible have been included in the assessment. A decision not to rectify the design of a product, because rectification could be as expensive as paying out on claims from disgruntled customers, is in fact a decision to transfer the risk to the customers without their knowledge. The decision may not take into account the possibility of courts awarding exemplary damages to someone injured by the product, to discourage people from taking similar decisions in the future.

Internal risk transfer can also cause problems if it is away from departments with more ‘clout’ (eg sales) and towards departments such as finance who may be presumed to downplay risks excessively.

2.5.1 Hold harmless agreements

Indemnity or hold harmless agreements can be useful. They:

  • Reduce the price of goods for a party who takes on extra responsibility
  • Preserve good trading relations by avoiding arguments
  • Preserve good public relations if efficiently and sympathetically operated
2.5.2 Limitation of liability

Some contracts, in which one party accepts strict liability up to a set limit, or liability which is wider than the law would normally impose, follow very ancient customs. Examples are contracts for carriage of passengers or goods by air or sea.

2.5.3 Legal and other restrictions on transferring risks

The first restriction is that a supplier or customer may refuse to enter a contract unless your organisation agrees to take a particular risk. This depends on the trading relationship between the firms concerned, and not a little on economics. How many suppliers could supply the item or service in question, for example, and how great is your need for the item?

2.5.4 Risk sharing

Risks can be partly held and partly transferred to someone else. An example is an insurance policy, where the insurer pays any losses incurred by the policyholder above a set amount.

Risk-sharing arrangements can be very significant in business strategy. For example in a joint venture arrangement each participant’s risk can be limited to what it is prepared to bear. 



The Swiss Cheese model is used to show the continual variability of the risks organisations face and how control systems interact to counter risks – and on occasions fail to interact, leading to accidents happening and losses being incurred.

The psychologist Paul Reason, the creator of this model, hypothesised that most accidents are due to one or more of the four levels of failure.

  • Organisational influences
  • Unsafe supervision
  • Preconditions for unsafe acts
  • Unsafe acts

The first three elements in the list can be classified as ‘latent failures’, contributory factors that may have lain dormant for some time. Unsafe acts can be classified as active errors, human actions in the form of careless behaviour or errors.

Organisations can have control systems in place to counter all of these, but they can be seen as a series of slices of Swiss cheese. Slices of Swiss cheese have holes in them, and seeing control systems in these terms emphasises the weaknesses inherent in them. Reason went on to say that the holes in the systems are continually varying in size and position. Systems failure occurs and accidents happen when the holes in each system align.

Reason points out, that viewed this way, the focus shifts away from blaming a person to focusing on organisational and institutional responsibility. In the field of healthcare, on which Reason concentrated, blaming the person leads to a failure to realise that the same set of circumstances could lead to similar errors, regardless of the people involved. Ultimately it thwarts the development of safer healthcare institutions.

‘Active failures are like mosquitoes. They can be swatted one by one but they still keep coming. The best remedies are to create more effective defences and to drain the swamps in which they breed, the swamps (being) the ever-present latent conditions.’

Reason emphasised the importance of a sound reporting culture in a system of risk management. ‘Without a detailed analysis of mishaps, incidents, near misses and free lessons, we have no way of uncovering recurrent error traps or of knowing where the edge is until we fall over it.’


2.6 Communication of risk

Communicating to shareholders and other stakeholders particularly those risks that cannot be avoided is an important aspect of risk management. Of course, the stock market may react badly to this news. If risks are to be successfully communicated, the messages need to be consistent and the organisation has to be trusted by the recipients.

The Institute of Risk Management’s Risk Management Standard suggests that formal reporting of risk management should address:

  • Control methods – particularly management responsibilities for risk management
  • Processes used to identify risks and how they are addressed by the risk management systems
  • Primary control systems in place to manage significant risks  Monitoring and review systems

We consider reporting in the context of directors’ review of risk and internal control in Chapter 8.



Mazda has a basic risk management policy and more detailed risk management regulations in place. Responsibility for risk management is split between departments in charge of business areas and departments that carry out business on a company-wide basis.

In addition to measures to protect its manufacturing sites and other important facilities against fire and earthquakes, Mazda has concluded natural disaster insurance contracts and taken other steps to minimize the financial risk of such events.


Question 2 in December 2007 required students to select the most appropriate strategies for managing a selection of risks. Importantly it asked students to give reasons for their chosen strategies. Thus students had some flexibility in choosing a strategy, provided they could justify sensibly what they had selected.

Financial risk management

FAST FORWARD             Diversification limits financial risk by taking on a portfolio of different risks constructed so that, should they all crystallise, the outcome will be neutral.

Hedging is the main method used to control interest rate and exchange rate risks.

3.1 Importance of financial risk management

Sound management of financial risks has a number of benefits. These were highlighted in the

Management Accounting Guideline Financial Risk Management for Management Accountants by Margaret Woods and Kevin Dowd.

  • Better reputation
  • Reduction in earnings volatility meaning that published information is more reliable
  • More stable earnings reducing average tax liabilities
  • Protection of cash flows
  • Reduction of cost of capital
  • More opportunities to invest because of improved credit rating and more secure access to capital
  • Stronger position in merger and acquisition negotiations
  • Better managed supply chain and more secure customer base
3.2 Role of the treasury function

The Association of Corporate Treasurers’ definition of treasury management is ‘the corporate handling of all financial matters, the generation of external and internal funds for business, the management of currencies and cash flows, and the complex strategies, policies and procedures of corporate finance’.

Larger companies have specialist treasury departments to handle financial risks.

3.3 Risk diversification

As mentioned above, diversification can be used to manage financial risks in a variety of ways.

3.4 Risk hedging

Key term                Hedging means taking an action that will offset an exposure to a risk by incurring a new risk in the opposite direction.

Hedging is perhaps most important in the area of currency or interest rate risk management. You covered the main instruments used to hedge these risks in F9 and we shall recap on them briefly. Generally speaking, they involve an organisation making a commitment to offset the risk of a transaction that will take place in the future.

3.4.1 Advantages of hedging

Hedging can lead to a smoother flow of cash and lower risks of bankruptcy and can result in a fall in the company’s cost of capital.

3.4.2 Disadvantages of hedging

From the shareholders’ viewpoint hedging will not affect their position if they hold a well-diversified portfolio. There will be possibly significant transaction costs from purchasing hedging products including brokerage fees and transaction costs. Because of lack of expertise, senior management may be unable to monitor hedging activities effectively. There may also be tax and accounting complications, particularly arising from IASs 32 and 39 and IFRSs 7 and 9.

3.5 Methods of hedging

The business can take advantage of its own circumstances to hedge naturally. Some of its risk exposures may cancel out. Internal netting, the management of multiple internal exposures across a range of currencies so that receipts and payments cancel out, is a form of natural hedging. 3.5.1 Forward contracts

A forward contract is a commitment to undertaking a future transaction at a set time and at a set price. For example a forward exchange contract is a binding contract between a bank and its customers for a specified quantity of a stated foreign currency at a rate of exchange fixed at the time the contract is made. The performance of the contract will take place at a future time specified when the contract is made.

Traders will therefore know in advance how much of their local currency they will receive or pay in exchange for the foreign currency that they have to sell or buy arising from the future transaction.

However, they cannot take advantage of any favourable currency movements.

3.5.2 Futures

A future represents a commitment to an additional transaction in the future that limits the risk of existing commitments. For example currency futures are standardised contracts to buy or sell a fixed amount of currency at a fixed rate at a fixed future date. Because futures are traded on an exchange they can be bought or sold as required, and a business using futures to hedge transactions can close out (dispose of their interest in the futures) before the contract is settled.

If a trader is going to make a foreign currency payment in the future, it can hedge the risk of adverse exchange rate movements increasing the payment by buying foreign currency futures now and selling them at the date the payment is settled. If foreign exchange rates move adversely, the impact of this movement should be mitigated by a profit on the futures.

3.5.3 Options

An option represents a commitment by a seller to undertake a future transaction, where the buyer has the option of not undertaking the transaction. With options the risks are transferred to the seller (writer) of the option.

For example an interest rate option will grant the buyer the right, but not the obligation, to deal at an agreed interest rate at a future maturity date. When the option expires the buyer must decide whether or not to exercise the right.

Clearly, a buyer of an option to borrow will not wish to exercise it if the market interest rate is now below that specified in the option agreement. Conversely, an option to lend will not be worth exercising if market rates have risen above the rate specified in the option by the time the option has expired.

Options are most useful when there is uncertainty about price movements, and a reasonable chance that prices could move adversely or favourably. An option protects against adverse movements, and allows the buyer to take advantage of favourable movements. An option also allows the buyer the chance to avoid exercising the option if the transaction being hedged does not take place.

However, the cost of the option (the premium) which has to be settled when the option is purchased may be expensive.

3.5.4 Swaps

A swap is a formal arrangement where two parties agree to exchange payments on different terms, for example in different currencies or one at a fixed rate and the other at a floating rate. It can be a method of exploiting the different terms available to the two parties in different markets. It can also be a means of hedging financial risks. For example, a borrower borrowing at floating interest rates and worried about significant upward movements can swap the floating rate commitment for a commitment to borrow at a fixed rate.

3.6 Hedging and speculation

As well as hedging, some types of derivative are used for speculation. The speculator is hoping to make a profit by prejudging how the price of the underlying asset will move. Indeed there would be no market for hedging unless counterparties were prepared to be involved in speculation. Because the derivatives market is highly leveraged, the speculator can, for a small deposit, invest in derivatives, where the movements in price are proportionally much greater than those of the underlying commodity. As a result the profit or loss per pound invested is much greater than speculating on the underlying commodity. Hence Warren Buffett and others view them as a potential time bomb.



The hedging activities of the banking sector in general were put under the media spotlight in May 2012 when J.P. Morgan announced that a trading desk in London had lost more than $2bn. J.P. Morgan had had a reputation for being one of the better managed and cautious banks. However, the chief executive, Jamie Dimon, blamed ‘errors, sloppiness and bad judgement’ for the losses.

Initial reports suggested the transactions were not unauthorised or carried out by a rogue trader, but were the result of a change in hedging strategy. This change made the strategy more complex and more risky, when hedge funds took advantage of the volatility stemming from J.P. Morgan’s trades. According to an executive at the bank, Dimon wasn’t immediately told about the shift in strategy and didn’t know the magnitude of the losses until after the company reported earnings on 13 April. However, Dimon had reportedly previously encouraged the trading desk to make bigger and riskier speculative trades.

It was reported that the desk had taken positions so large that even J.P. Morgan, the largest and most profitable US bank, couldn’t unwind them at all easily.

Dimon had called previous news coverage in April 2012 about the positions that the bank was taking as a ‘complete tempest in a teacup’. Days before the announcement of the loss he had led bank chief executives in a meeting to lobby the American Federal Reserve to soften proposed banking reforms.

J.P. Morgan’s share price fell by 9% on the day the losses were announced. The share price of other banks also suffered.


3.7 Other risk management methods
3.7.1 Internal strategies

Internal strategies for managing financing and credit risks include working capital management and maintaining reserves of easily liquidated assets. Specific techniques that businesses use include:            Vetting prospective partners to assess credit limits

  • Position limits, ceilings on limits granted to counterparties
  • Monitoring credit risk exposure
  • Credit triggers, terminating an arrangement if one party’s credit level becomes critical
  • Credit enhancement, settling outstanding debts periodically
  • Matching so that receipts in a currency are equalised as near as possible by payments in the same currency and likewise assets and liabilities
3.7.2 Risk sharing

FAST FORWARD         There are various instruments that businesses can purchase in order to share credit risks. These include:

  • Credit guarantees – the purchase from a third party of a guarantee of payment
  • Credit default swaps – a swap in which one payment is conditional on a specific event such as a default
  • Total return swaps – one part is the total return on a credit-related reference asset
  • Credit-linked notes – a security that includes an embedded credit default swap

However, credit derivatives are not a means of eliminating risk. Risks include counterparty default and basis risk, the risk that derivative prices don’t move in the same direction or to the same extent as the underlying asset.

3.7.3 Risk transfer

Credit insurance can be used for a specific transaction or all of the business.

An alternative method of transferring risk is securitisation. This is the conversion of financial or physical assets into tradable financial instruments. This creates the potential to increase the scale of business operations by converting relatively illiquid assets into liquid ones.

An operational method of transferring the foreign currency risk on a future transaction is for exporters to invoice their customers in the exporters’ domestic currency, and for importers to arrange with suppliers to be invoiced in their domestic currency.

                                    4 Control activities                                      12/14

Controls can be classified in various ways including corporate, management, business process and transaction, administrative and accounting, prevent, detect and correct, discretionary and nondiscretionary, voluntary and mandated.

The mnemonic SPAMSOAP can be used to remember the main types of control.


Control activities are those policies and procedures that help ensure that management directives are carried out. Control activities are a component of internal control.        (UK Financial Reporting Council)
Key term
4.1 COSO guidance

COSO’s guidance in Internal Control – Integrated Framework stresses that control activities are a means to an end and are effected by people. The guidance states:

‘It is not merely about policy manuals, systems and forms but people at every level of an organisation that impact internal control.’

Because the human element is so important, it follows that many of the reasons why controls fail is because of problems with managers and staff operating controls. These include failing to operate controls because they are not taken seriously or due to mistakes, collusion between staff or management telling staff to override controls. The COSO guidance therefore stresses the importance of segregation of duties, to reduce the possibility of a single person being able to act fraudulently and to increase the possibility of errors being found.

4.1.1 Controls over financial reporting

COSO’s 2006 guidance concentrates on the needs of smaller companies, because of the challenges they face in implementing Sarbanes-Oxley effectively. The guidance highlights the need for focusing on key financial reporting objectives. This should help managers carry out effective risk assessments and mean they only implement appropriate controls, rather than implementing ‘standard’ controls that are not useful for the business.

4.2 Classification of control procedures

You may find internal controls classified in different ways, and these are considered below.

4.2.1 Corporate, management, business process and transaction controls

This classification is based on the idea of a pyramid of controls from corporate controls at the top of the organisation, to transaction controls over the day-to-day operations.

  • Corporate controls include general policy statements, the established core culture and values and overall monitoring procedures such as the audit committee.
  • Management controls encompass planning and performance monitoring, the system of accountabilities to superiors and risk evaluation.
  • Business process controls include authorisation limits, validation of input, and reconciliation of different sources of information.
  • Transaction controls include complying with prescribed procedures and accuracy and completeness checks.
4.2.2 Administrative controls and accounting controls

Administrative controls are concerned with achieving the objectives of the organisation and with implementing policies. The controls relate to the following aspects of control systems.

  • Establishing a suitable organisation structure
  • The division of managerial authority
  • Reporting responsibilities
  • Channels of communication

Accounting controls aim to provide accurate accounting records and to achieve accountability. They apply to the following.

  • The recording of transactions
  • Establishing responsibilities for records, transactions and assets
                                    4.2.3 Prevent, detect and correct controls                                 6/11

Prevent controls are controls that are designed to prevent errors from happening in the first place. Examples of prevent controls are as follows.

  • Effective development and design procedures which should ensure that for example safety features are built into new products, enough time is spent testing for susceptibility to key risks and a project and product is not being signed off until all the weaknesses identified during testing have been addressed
  • Checking invoices from suppliers against goods-received notes before paying the invoices
  • Regular checking of delivery notes against invoices, to ensure that all deliveries have been invoiced
  • Signing of goods-received notes, credit notes, overtime records and so forth, to confirm that goods have actually been received, credit notes properly issued, overtime actually authorised and worked, and so on



Question   Prevent controls
How can prevent controls be used to measure performance and efficiency?  


In the above examples the system outputs could include information, say, about the time lag between delivery of goods and invoicing:

  • As a measure of the efficiency of the invoicing section
  • As an indicator of the speed and effectiveness of communications between the despatch department and the invoicing department
  • As relevant background information in assessing the effectiveness of cash management

You should be able to think of plenty of other examples. Credit notes reflect customer dissatisfaction, for example. How quickly are they issued?


Detect controls are controls that are designed to detect errors once they have occurred. Examples of detect controls in an accounting system are bank reconciliations and regular checks of physical inventory against book records of inventory.

Correct controls are controls that are designed to minimise or negate the effect of errors. An example of a correct control would be back-up of computer input at the end of each day, or the storing of additional copies of software at a remote location.

Direct controls direct activities or staff towards a desired outcome. Examples include operational manuals or training in dealing with customers.

4.2.4 Discretionary and non-discretionary controls

Discretionary controls are controls that, as their name suggests, are subject to human discretion. For example, a control that goods are not dispatched to a customer with an overdue account may be discretionary (the customer may have a good previous payment record or be too important to risk antagonising).

Non-discretionary controls are provided automatically by the system and cannot be bypassed, ignored or overridden. For example, checking the signature on a purchase order is discretionary, whereas inputting a PIN number when using a cash dispensing machine is a non-discretionary control. 4.2.5 Voluntary and mandated controls

Voluntary controls are chosen by the organisation to support the management of the business. Authorisation controls, certain key transactions requiring approval by a senior manager, are voluntary controls.

Mandated controls are required by law and imposed by external authorities. A financial services organisation may be subject to the control that only people authorised by the financial services regulatory body may give investment advice.

4.2.6 General and application controls

These controls are used to reduce the risks associated with the computer environment. General controls are controls that relate to the environment in which the application system is operated. Application controls are controls that prevent, detect and correct errors and irregularities as transactions flow through the business system.

4.2.7 Financial and non-financial controls

Financial controls focus on the key transaction areas, with the emphasis being on the safeguarding of assets and the maintenance of proper accounting records and reliable financial information.  Financial controls need to ensure that:

  • Assets and transactions are recorded completely in the accounting records
  • Entries are posted correctly to the accounting records, for example to the correct accounts
  • Cut-off is applied correctly, so that transactions are recorded in the correct year
  • The accounting system can provide the necessary data to prepare the annual report and accounts – relating to how the data within the accounting system is organised as well as the completeness and accuracy of the data
  • The accounting system does provide the data as required – that the system is organised to supply on time and in a usable format the data that underpins the accounts and the other content of the annual report

Non-financial controls tend to concentrate on wider performance issues. Quantitative non-financial controls include numeric techniques, such as performance indicators, the balanced scorecard and activitybased management. Qualitative non-financial controls include many topics we have already discussed, such as organisational structures, rules and guidelines, strategic plans and human resource policies.

You need a good understanding of what controls are designed to achieve, to be able to implement them effectively. Demonstrating your role in the implementation of internal controls will help you fulfil performance objective 4 of your PER.

Over the last 20 years the Basel Committee on Banking Supervision has made important recommendations affecting risk management and internal control operated by banks. The committee’s recommendations include recommendations about the minimum capital banks should hold and also how credit, operational and market risk should be measured and managed.

The Committee highlights the need for boards to treat the analysis of a bank’s current and future capital requirements in relation to its strategic objectives as a vital element of the strategic planning process. Control systems should relate risk to the bank’s required capital levels. The board or senior management should understand and approve control systems such as credit rating systems. Banks should use value at risk models that capture general market risks and specific risk exposures of portfolios.

The Committee stresses the importance of banks having an operational risk management function that develops strategies, codifies policies and procedures for the whole organisation and designs and implements assessment methodology and risk reporting systems. It is particularly important for banks to establish and maintain adequate systems and controls sufficient to give management and supervisors the confidence that their valuation estimates are prudent and reliable.

Banks’ risk assessment system (including the internal validation processes) must be subject to regular review by external auditors and/or supervisors. The regular review of the overall risk management process should cover:

  • The adequacy of the documentation of the risk management system and process
  • The organisation of the risk control unit
  • The integration of market risk measures into daily risk management
  • The approval process for risk pricing models and valuation systems
  • The validation of any significant change in the risk measurement process
  • The scope of market risks captured by the risk measurement model
  • The integrity of the management information system
  • The accuracy and completeness of position data
  • The verification of the consistency, timeliness and reliability of data sources
  • The accuracy and appropriateness of volatility and correlation assumptions
  • The accuracy of valuation and risk calculations
  • The verification of the model’s accuracy through frequent testing and review of results

Further details about the reports of the Basel committee are on the website of the Bank for International Settlements:


Remember the importance of the control system looking well beyond financial controls and including quantitative performance indicators and a variety of non-financial controls.

Exam focus point

4.3 Types of procedure

International Standard on Auditing 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment provides examples of specific procedures (control activities).

  • Authorisation
  • Performance reviews
  • Information processing
  • Physical controls
  • Segregation of duties
  • IT general controls
  • IT application controls

The following mnemonic, SPAMSOAP, is useful for classifying the different types of control activities.

Segregation of duties


Authorisation and approval




Arithmetical and accounting


At Professional level, you should be thinking in particular about higher-level ‘management’ controls. Using the above mnemonic, we can give examples of higher-level internal controls.

  • Segregation of duties. For example, the chairman/chief executive roles should be split.
  • Physical. These are measures to secure the custody of assets, eg only authorised personnel are allowed to move funds on to the money market.
  • Authorisation and approval. All transactions should require authorisation or approval by an appropriate responsible person. Limits for the authorisations should be specified, eg a remuneration committee is staffed by non-executive directors to decide directors’ pay.
  • Management. Management should provide control through analysis and review of accounts, eg variance analysis and provision of internal audit services.
  • Supervision of the recording and operations of day-to-day transactions. This ensures that all individuals are aware that their work will be checked, reducing the risk of falsification or errors, eg budgets, managers’ review, exception or variance reports.
  • Organisation: identify reporting lines, levels of authority and responsibility. This ensures that everyone is aware of their control (and other) responsibilities, especially in ensuring adherence to management policies, eg avoid staff reporting to more than one manager. Procedures manuals will be helpful here.
  • Arithmetical and accounting. This involves checking the correct and accurate recording and processing of transactions, eg reconciliations, trial balances.
  • Personnel. Attention should be given to selection, training and qualifications of personnel, as well as personal qualities. The quality of any system is dependent on the competence and integrity of those who carry out control operations, eg use only qualified staff as internal auditors.
In the exam you will be expected to apply the SPAMSOAP mnemonic to assess the overall adequacy of the control framework. Applying it means assessing examples of controls from the scenario; it does not mean just listing the eight types of control.
Exam focus point



In June 2007 Mazda established a dedicated section for the promotion of internal controls. In particular it worked with related departments and affiliates to help them respond to reporting requirements on internal control.


4.4 Controls over financial reporting

In particular robust controls need to be in place to ensure the quality of financial reporting. COSO’s guidance stresses that disciplined policies and procedures need to cover all aspects of the recording process. Examples include journal entries being authorised, supported by adequate documentation and reviewed by a senior manager.

Some controls will operate across the organisation, but additional controls will be needed for high-risk areas, such as accounting estimates or areas where frauds could occur. The organisation also needs to ensure that software used for financial reporting activities has appropriate controls inbuilt.

A logical division of duties is particularly important in mitigating risks to the integrity of financial reporting. This can be reinforced, for example, by IT controls restricting access to data and programs. Where segregation of duties is not practical and access to accounting records cannot be limited, then it is more important for managers to monitor records closely. This may include regular review of transaction reports, reviews of selected transactions, periodic asset counts and checks on reconciliations.

Other particularly important controls to ensure the accuracy of information include:

  • Full documentation of assets, liabilities and transactions
  • Matching of source documents and accounting records
  • Confirmation of information by suppliers, customers and banks
  • Reconciliation of information from different source documents and other sources
  • Completeness checks over documents and accounting entries
  • Reperformance of accounting calculations



A survey into companies that disclosed control weaknesses when reporting under the Sarbanes-Oxley legislation revealed that poor internal control was often related to an insufficient commitment of resources to accounting controls. The most common areas of weakness included:

  • Account-specific weaknesses, particularly in the accounts receivable and payable and inventory accounts, with inaccurate adjustments to inventory and failure to track inventory transactions; other problems were reported in complex accounts, for example income taxes and derivatives
  • Training – inadequate qualified staff and resourcing, lack of expertise in complex accounts and financial reporting
  • Period-end issues and accounting policies, including lack of controls over application of accounting principles and no compliance checking for SEC filings
  • Revenue recognition problems such as lack of formal detail in contracts or ‘channel-stuffing’ (shipping excess products which were subsequently returned)
  • Lack of segregation of duties
  • Problems with accounts reconciliation and lack of compliance with procedures for monitoring and adjusting balances

Rather worryingly, a 2010 audit report on the US Securities and Exchange Commission found material weaknesses that resulted in the conclusion that the Commission had not maintained effective internal control over financial reporting. The Commission had struggled to maintain financial control since it first prepared financial statements in 2004, but by 2010 still had weaknesses in the areas of information security, the financial reporting process, budgetary resources, deposits, information systems, penalties and required supplementary information.

Control activities and risk management

FAST FORWARD            An organisation’s internal controls should be designed to counter the risks that are a consequence of the objectives it pursues.

5.1 Links between controls and risks

COSO’s guidance states that risk assessment should determine where controls are most needed, helping the organisation focus on the risks that have the greatest impact on achievement of its operational objectives.

The UK Turnbull report also stresses the links between internal controls and risk very strongly.



A new employee in the marketing department has asked you about the business objective of meeting or exceeding sales targets.


  • What is the main risk associated with the business objective to meet or exceed sales targets?
  • How can management reduce the likelihood of occurrence and impact of the risk?
  • What controls should be associated with reducing the likelihood of occurrence and impact of the risk?



This question is based on an example in the COSO guidance.

  • One very important risk would be having insufficient knowledge of customers’ needs.
  • Managers can compile buying histories of existing customers and undertake market research into new customers.
  • Controls might include checking the progress of the development of customer histories against the timetable for those histories and taking steps to ensure that the data is accurate.


COSO also suggests that the links between risks and controls may be complex. Some controls, for example calculation of staff turnover, may indicate how successful management has been in responding to several risks, for example competitor recruiting and lack of effectiveness of staff training and development programmes. On the other hand, some risks may require a significant number of internal controls to deal with them.

                                    6 Costs and benefits of control activities                                             6/08,6/09, 12/14

FAST FORWARD            Sometimes the benefits of controls will be outweighed by their costs, and organisations should compare them. However, it is difficult to put a monetary value on many benefits and costs of controls, and also the potential losses if controls are not in place. 

6.1 Benefits of internal controls

The benefits of internal control, even well-directed ones, are not limitless. Controls can provide reasonable, not absolute, assurance that the organisation is progressing towards its objectives, safeguarding its assets and complying with laws and regulations. Internal controls cannot guarantee success, as there are plenty of environmental factors (economic indicators, competitor actions) beyond the organisation’s control.

In addition, we have seen that there are various inherent limitations in control systems, including faulty decision-making and breakdowns occurring because of human error. The control system may also be vulnerable to employee collusion and management override of controls undermining the control systems.

However, the benefits of internal control are not always measurable in financial terms. They may include improvements in efficiency and effectiveness. There may also be indirect benefits, such as improved control systems resulting in external audit being able to place more reliance on the organisation’s systems, hence needing to do less work and (hopefully) charging a lower audit fee.

6.2 Costs of internal controls

As well as realising the limitations of the benefits of controls, it is also important to realise their costs. Some costs are obvious; for example, the salary of a night security officer to keep watch over the premises. There are also opportunity costs through, for example, increased manager time being spent on review rather than dealing with customers.

More general costs include reduced flexibility, responsiveness and creativity within the organisation.

One common complaint is that the controls stifle initiative, although this is not always well founded, particularly if the initiative involves too casual an approach to risk management.

6.3 Benefits vs costs

The principle that the costs of controls need to be compared with benefits is reasonable. The internal controls may not be felt to be worth the reduction in risk that they achieve.

However, the comparison of benefits and costs may be difficult in practice.

  • It can be difficult to estimate the potential monetary loss or gain that could occur as a result of exposure to risk if no measures are taken to combat the risk.
  • It can be difficult to assess by how much the possible loss or gain is affected by a control measure, particularly if the benefit of control is to reduce, but not eliminate the risk (something which will be true for many controls).
  • As we have seen, many benefits of controls are non-monetary, for example improvements in employee attitudes or the reputation of the organisation.
  • Certain drawbacks of controls are also difficult to factor into decisions, including adherence to controls meaning an inability to cope with the unexpected and controls giving the illusion that all risks are being reduced.

Remembering costs versus benefits arguments should help you keep your answer in perspective. A Exam focus         common complaint of examiners of papers where internal controls are tested is that the controls many point students suggest are too elaborate and therefore not appropriate for the organisations described in the questions.


Question   SPAMSOAP
Which SPAMSOAP controls are you most likely to be discussing in this paper?  

is obviously particularly important, not least showing that there is a clear distinction between management and supervision. Other very important controls are those linked to the control environment, organisation and personnel. We have seen in Chapter 3 that authorisation and approval at board level are extremely important, with the board having certain decisions reserved for itself. Physical controls over major assets might also be important if there is a significant risk of loss.
Segregation of duties may be most significant in the context of splitting the role of chairman and chief executive. You may see questions where a lack of segregation has led to losses. Arithmetic and accounting controls may appear to be of least importance. However, they may be significant insofar as they guarantee the quality of the information provided to management for decision-making. We shall look at issues related to this information in the next chapter.



Chapter Roundup

Risk assessment involves analysing, profiling and consolidating risks.
Methods for dealing with risk include risk avoidance, risk reduction, risk acceptance and risk transference.


Diversification limits financial risk by taking on a portfolio of different risks constructed so that, should they all crystallise, the outcome will be neutral.

Hedging is the main method used to control interest rate and exchange rate risks.


Controls can be classified in various ways including corporate, management, business process and transaction, administrative and accounting, prevent, detect and correct, discretionary and nondiscretionary, voluntary and mandated.

The mnemonic SPAMSOAP can be used to remember the main types of control.

An organisation’s internal controls should be designed to counter the risks that are a consequence of the objectives it pursues.
Sometimes the benefits of controls will be outweighed by their costs, and organisations should compare them. However, it is difficult to put a monetary value on many benefits and costs of controls, and also the potential losses if controls are not in place.



Quick Quiz

  • Give five examples of factors that will determine the chances of a risk materialising and the consequences of it materialising.
  • What key indicators should risk quantification provide?
  • Complete the likelihood-consequences matrix in relation to methods of dealing with risk.

  • Fill in the blank:

…………………………………. is taking an action that will offset an exposure to a risk by incurring a new risk in the opposite direction.

  • Match the control and control type:
    • Checking of delivery notes against invoices
    • Back-up of computer input
    • Bank reconciliation


  • Prevent
  • Detect
  • Correct
  • Fill in the blank:
    • …………………………………. control is required by law and imposed by external authorities.
  • Which of the following is an example of a business process control?
    • Audit committee      C             Authorisation limits
    • Reporting process to superiors             D             Completeness of input check
  • When deciding whether the benefits of controls justify the costs, organisations should always focus on the financial benefits and costs.



Answers to Quick Quiz

  • Any five from:
    • The importance of the strategic objective to which the risk relates
    • The type of risk and whether it represents an opportunity or a threat
    • The direct and indirect impact of the risk
    • The likelihood of the risk
    • The cost of different responses to the risk
    • The organisation’s environment
    • Constraints within the organisation
    • The organisation’s ability to respond to events
  •  Average or expected result 
  • The chances of loss
    • The frequency of losses 
    • The largest predictable loss

  • Organisations might also consider the improvements in efficiency and effectiveness that internal controls can bring, and these can’t necessarily be measured in financial terms. Likewise there may be opportunity losses in terms of management time being spent on operating controls which can’t be measured financially.


Number Level Marks Time
Q7 Examination 25 49 mins

08 Information, communication and monitoring

This chapter looks at the last two areas covered in the COSO enterprise risk management
model: information, communication and monitoring.
Communication is at the heart of the chapter. We begin by looking at the qualities that the
information received by directors needs to have in order to enable directors to discharge their
duties effectively and in particular manage risk. However, the board and management will only
receive quality information if there are strong communication procedures. Two-way
communication is important; the directors need to consider not only what they are looking to
receive but also what should be communicated to staff. Directors must communicate desired
behaviour effectively.
In the remainder of the chapter, we examine the monitoring procedures that need to be
carried out in an organisation. Monitoring will involve both ongoing monitoring and separate
evaluation exercises.
Internal audit will have responsibility for carrying out much of the detailed separate
evaluation work, and we look at its role in Section 5. To carry out effective reviews, internal
auditors have to maintain their independence, so we examine the independence issues that
could undermine their work. The audit committee monitors the work of internal audit and we
examine its role in Section 6.
In the last section we cover in detail board monitoring of risk and internal control that we
have mentioned in earlier chapters. One objective of this review is to produce a report
communicating to shareholders how the organisation has been addressing the major risks it
faces. The board has to try to obtain strong assurance that the internal control systems are
working well, as internal control failures can cause strategic failure and loss of capital value

Study guide

    Intellectual level
A4  Board committees   
(b) Explain and evaluate the role and purpose of the following committees in effective corporate governance: remuneration committee, nominations committee, risk committee, audit committee. 3
B1 Management control systems in corporate governance  
(a) Define and explain internal management control. 2
(d) Identify, explain and evaluate the corporate governance and executive management roles in risk management (in particular the separation between responsibility for ensuring adequate risk systems are in place and the application of risk management procedures and practices in the organisation). 3
B2 Internal control, audit and compliance in corporate governance  
(a) Describe the function and importance of internal audit. 1
(b) Explain, and discuss the importance of, auditor independence in all client audit situations (including internal audit). 3
(c) Explain, and assess the nature and sources of risks, to auditor independence. Assess the hazard of auditor capture. 3
(d) Explain and evaluate the importance of compliance and the role of the internal audit function in internal control. 3
(f) Describe and analyse the work of the audit committee in overseeing the internal audit function. 2
(g) Explain, and explore the importance and characteristics of, the audit committee’s relationship with external auditors. 2
B3 Internal control and reporting  
(a) Describe and assess the need to report on internal controls to shareholders. 3
(b) Describe the content of a report on internal control and audit. 2
B4 Management information in audit and internal control  
(a) Explain and assess the need for adequate information flows to management for the purposes of the management of internal control and risk. 3
(b) Evaluate the qualities and characteristics of information required in internal control and risk management and monitoring. 3
C3 Identification, assessment and measurement of risk  
(c) Describe and evaluate a framework for board-level consideration of risk. 3
(d) Describe the process and importance of (externally) reporting on internal control and risk. 2
(e) Explain the sources, and assess the importance of, accurate information for risk management. 3
D1 Targeting and monitoring of risk  
(c) Describe and assess the role of internal or external risk auditing in monitoring risk. 3
D2 Methods of controlling and reducing risk  
(a) Explain the importance of risk awareness at all levels in an organisation. 2

Exam guide

In scenarios, look out for information on communication links. Poor communication is often an important sign of a weak control system. Board review and reporting are key elements in the control system and you’ll need to know what an effective board review involves. The role of risk audits, the independence of internal audit and the role of the audit committee are also popular exam issues.

                                1 Information requirements of directors                                               12/09, 12/14


Directors need information from a large variety of sources to be able to supervise and review the operation of the internal control systems. Information sources should include normal reporting procedures, but staff should also have channels available to report problems or doubtful practices of others.

1.1 Types of information
1.1.1 Strategic information

Strategic information is used to plan the objectives of the organisation, and to assess whether the objectives are being met in practice. Such information includes overall profitability, the profitability of different segments of the business, future market prospects, the availability and cost of raising new funds, total cash needs, total manning levels and capital equipment needs.

Strategic information is:

  • Derived from both internal and external sources
  • Summarised at a high level
  • Relevant to the long term
  • Concerned with the whole organisation
  • Often prepared on an ‘ad hoc’ basis
  • Both quantitative and qualitative
  • Often uncertain, as the future cannot be accurately predicted
1.1.2 Tactical information

Tactical information is used to decide how the resources of the business should be employed, and to monitor how they are being and have been employed. Such information includes productivity measurements (output per hour), budgetary control reports, variance analysis reports, cash flow forecasts, staffing levels and short-term purchasing requirements.

Tactical information is:

  • Primarily generated internally (but may have a limited external component) 

Summarised at a lower level

  • Relevant to the short and medium term
  • Concerned with activities or departments
  • Prepared routinely and regularly
  • Based on quantitative measures
1.1.3 Operational information

Operational information is used to ensure that specific operational tasks are planned and carried out as intended.

Operational information is:

  • Derived from internal sources such as transaction recording methods
  • Detailed, being the processing of raw data (for example transaction reports listing all transactions in a period)
  • Relevant to the immediate term
  • Task-specific
  • Prepared very frequently
  • Largely quantitative
                                 1.2 The qualities of good information                             12/12

The COSO guidance stresses the importance of the board and management having good quality information. ‘Good’ information is information that adds to the understanding of a situation. The qualities of good information are outlined in the following table.

Quality Example
A ccurate Figures should add up, the degree of rounding should be appropriate, there should be no typos, items should be allocated to the correct category, and assumptions should be stated for uncertain information.
C omplete Information should include everything that it needs to include, for example external data if relevant, comparative information and qualitative information as well as quantitative. Sometimes managers or strategic planners will need to build on the available information to produce a forecast using assumptions or extrapolations.
C ost-beneficial It should not cost more to obtain the information than the benefit derived from having it. Providers of information should be given efficient means of collecting and analysing it. Users should not waste time working out what it means.
U ser-targeted The needs of the user should be borne in mind; for instance, senior managers need strategic summaries, and junior managers need detail.
R elevant Information that is not needed for a decision should be omitted, no matter how ‘interesting’ it may be.
A uthoritative The source of the information should be a reliable one. However, subjective information (eg expert opinions) may be required in addition to objective facts.
T imely The information should be available when it is needed. It should also cover relevant time periods and the future as well as the past.
E asy to use Information should be clearly presented, not excessively long, and sent using the right medium and communication channel (email, telephone, hard-copy report).
1.3 Needs of directors

We have emphasised above that board and senior manager involvement is a critical element of internal control systems and the control environment.  They will need:

  • Financial information – important for internal purposes and to fulfil legal requirements for true and fair external reporting
  • Non-financial information such as quality reports, customer complaints, human resource data
  • External information about competitors, suppliers, impact of future economic and social trends

There are various ways in which management can obtain the information they need to play the necessary active part in control systems.

Managers also need to take into account the needs of internal and external auditors for accurate and precise information.

You need to appreciate what information managers require and why they require it to fulfil performance objective 4 of the PER.  

Question 1 in December 2009 asked about the qualities of information and why the board needed to have information relating to key operational risks and controls.
Exam focus point
1.4 Information sources

The information directors need to be able to monitor controls effectively comes from a wide variety of sources. Directors can obtain information partly through their own efforts. However, if information systems are to work effectively, it is vital that they identify particular people or departments who are responsible for providing particular information. Controls must be built into the systems to ensure that those responsible provide that data. This is particularly important in the context of the information that supports the contents of the financial statements and is used by internal and external audit and the audit committee.

1.4.1 The directors’ own efforts

Directors will receive reports from the audit committee and risk committee. Management walking about and regular visits by the directors to operations may yield valuable insights and should help the directors understand the context in which controls are currently operating.

1.4.2 Reports from subordinates

There should be systems in place for all staff with supervisory responsibilities to report on a regular basis to senior managers, and senior managers in turn to report regularly to directors. The COSO guidelines comment:

‘Among the most critical communications channels is that between top management and the board of directors. Management must keep the board up to date on performance, developments, risk and the functioning of enterprise risk management and other relevant events or issues. The better the communications, the more effective the board will be in carrying out its oversight responsibilities, in acting as a sounding board on critical issues and in providing advice, counsel and direction. By the same token the board should communicate to management what information it needs and provide feedback and direction.’ 

However, COSO’s guidance also emphasises the need for the board to use information sources other than sub-board management, including internal and external auditors and regulators. There should be channels for stakeholders who have information about the effectiveness of internal controls to communicate with the company.

1.4.3 Lines of communication

Very importantly directors must ensure that staff have lines of communication that can be used to address concerns. There should be normal communication channels through which most concerns are addressed, but there should also be alternative channels for reporting if normal communication channels are ineffective. These include communication channels for staff to report, or whistleblow, particularly serious problems and perhaps active seeking of feedback through staff attitude surveys. 

As well as channels existing, it is also important that staff believe that directors and managers want to know about problems and will deal with them effectively. Staff must believe that there will be no reprisals for reporting relevant information.



As part of its initiative to enhance internal control, Mazda carries out educational and awareness-raising activities throughout the company and its affiliates. These include circulating case studies of compliance and risk management problems at other companies, and the solutions used to deal with them.

Mazda is particularly concerned with information security. Employees are trained on the management of confidential information when they join and subsequently go on refresher courses.

When employees are unsure of how to proceed with integrity, Mazda encourages them to consult with other employees. Mazda’s global hotline accepts reports of ethical violations in complete confidentiality.


1.4.4 Reports from control functions

Organisational functions that have a key role to play in internal control systems must report on a regular basis to the board and senior management. One example is the need for a close relationship between internal audit and the audit committee. The human resources function should also report regularly to the board about personnel practices in operational units. Poor human resource management can often be an indicator of future problems with controls, since it may create dissatisfied staff or staff who believe that laxness will be tolerated.

1.4.5 Reports on activities

The board should receive regular reports on certain activities. A good example is major developments in computerised systems. As well as board approval before the start of key stages of the development process, the board needs to be informed of progress and any problems during the course of the project, so that any difficulties with potentially serious consequences can be rapidly addressed.

1.4.6 Reports on resolution of deficiencies

Similarly, the board should obtain evidence to confirm that control deficiencies that have previously been identified have been resolved. When it has been agreed that action should be taken to deal with problems, this should include a timescale for action and also reporting that the actions have been implemented.

1.4.7 Results of checks

The board should receive confirmation as a matter of course that the necessary checks on the operation of the controls have been carried out satisfactorily and that the results have been clearly reported. This includes gaining assurance that the right sort of check has been performed. For example, random checks may be required on high risk areas, such as unauthorised access to computer systems. Sufficient independent evidence from external or internal audit should be obtained to reinforce the evidence supplied by operational units.

1.4.8 Exception reporting

Exception reports highlighting variances in budgeting systems, performance measures, quality targets and planning systems are an important part of the information that management receives. Organisations should have a system of exception reporting that will trigger action if potential risks have been identified.

You will remember from your management accounting studies that adverse variances are often an important sign of problems, and indicate a need to tighten internal control.

Managers may consider the following issues when deciding whether to investigate further.

  • Materiality. Small variations in a single period are bound to occur and are unlikely to be significant. Obtaining an ‘explanation’ is likely to be time consuming and irritating for the manager concerned. The explanation will often be ‘chance’, which is not particularly helpful.
  • Controllability. Controllability must also influence the decision whether to investigate further. If there is a general worldwide price increase in the price of an important raw material there is nothing that can be done internally to control the effect of this.
  • Variance trend. If, say, an efficiency variance is £1,000 adverse in month 1, the obvious conclusion is that the process is out of control and that corrective action must be taken. This may be correct, but what if the same variance is £1,000 adverse every month? The trend indicates that the process is in control and the standard has been wrongly set.
  • Cost.The likely cost of an investigation needs to be weighed against the cost to the organisation of allowing the variance to continue in future periods.
  • Interrelationship of variances. Quite possibly, individual variances should not be looked at in isolation. One variance might be interrelated with another, and much of it might have occurred only because the other, interrelated, variance occurred too.
1.4.9 Feedback from customers

Customer responses, particularly complaints, are important evidence for the board to consider, particularly as regards how controls ensure the quality of output.



For governmental organisations, monitoring the quality of service is particularly important. The UK’s Good Governance Standard for Public Services points out that users of public services, unlike consumers in the private sector, have little or no option to go elsewhere for services or to withdraw payment. The governing body of a public service therefore needs to decide how to measure quality of service, and be able to measure it effectively and regularly. It should ensure it has processes in place to hear the views of users and non-users from all backgrounds and communities about their needs, and the views of service users from all backgrounds about the suitability and quality of services.


1.5 Making best use of information
1.5.1 Comparison of different sources of information

The pictures gleaned from different sources must be compared and discrepancies followed up and addressed. Not only does the board need to have a true picture of what is happening but discrepancies might highlight problems with existing sources of information that need to be addressed. In particular, if random or special checks identify problems that should have been picked up and reported through regular channels, then the adequacy of these channels needs to be considered carefully.

1.5.2 Feedback to others

Directors need to ensure that as well as their obtaining the information needed in order to review internal control systems, relevant information on controls is also passed to all those within the organisation who need it directly. For example sales staff who obtain customer feedback on product shortcomings need to be aware of the channels for communicating with staff responsible for product quality and also staff responsible for product design.

1.5.3 Review procedures

As well as investigating and resolving problems with the information they receive, the board ought to undertake a regular review of the information sources that they need. They should, as we will see in Section 3, review in general the whole system of supervision to assess its adequacy and also to assess whether any layers of supervision or review can be reduced.



COSO’s guidance on controls over financial reporting emphasises that information systems must capture the data for financial transactions and events that underlie financial statements. This information will be used for adjusting entries, estimates and reasonableness checks. Managers responsible for financial reporting need to discuss with operational staff information used to manage and control day-to-day operations and how this information relates to accounting and financial reporting.


1.6 Failures in information provision

As with other controls, a failure to take provision of information and communication seriously can have adverse consequences. For example, management may not insist on a business unit providing the required information if that business unit appears to be performing well. Also, if there is a system of reporting by exception, what is important enough to be reported will be left to the judgement of operational managers who may be disinclined to report problems. Senior management may then not learn about potential problems in time.

Exam focus         A key question to ask when analysing control systems is how strong the feedback mechanisms appear to point          be and whether they are appropriate for the organisation.

2 Communication with employees

FAST FORWARD                    Procedures improving staff abilities and attitudes should be built into the control framework.

Communication of control and risk management issues and strong human resource procedures reinforce the control systems.

2.1 Importance of human element

It is very easy to design a control system that appears good on paper but is unworkable because it is not geared to the user’s practicality and usefulness. A detailed technical manual covering information technology controls may be of little use if staff lack sufficient knowledge of information technology. Controls may not work very well if staff lack motivation or the basic skills for the job in the first place. On the other hand, if good staff are taken on, they may well develop the necessary controls as part of their day-to-day work.

2.2 Important human resource issues

The UK Turnbull report stresses that all employees have some responsibility for internal control and need to have the necessary skills, knowledge and understanding in particular of the risks the organisation faces.

2.3 Improving staff awareness and attitudes

Turnbull stresses that it is important that all staff understand that risk management is an integral, embedded part of the organisation’s operations. Elaborate risk management innovations may not be the best way to improve performance. It may be better to build warning mechanisms into existing information systems rather than develop separate risk reporting systems.

Turnbull suggests that it is vital to communicate policies in the following areas in particular.

  • Customer relations
  • Service levels for both internal and outsourced activities
  • Health, safety and environmental protection
  • Security of assets and business continuity
  • Expenditure
  • Accounting, financial and other reporting

The briefing suggests that the following steps can be taken.

  • Initial guidance from the chief executive
  • Dissemination of the risk management policy and codes of conduct as well as of key business objectives and internal control
  • Workshops on risk management and internal control
  • A greater proportion of the training budget being spent on internal control
  • Involvement of staff in identifying and responding to change and in operating warning mechanisms
  • Clear channels of communication for reporting breaches and other improprieties
2.4 Training staff

An interactive training event, with participants identifying for themselves the most significant risks and key controls, is likely to be most valuable.

Training days can be particularly useful in emphasising to staff the importance of different types of control (preventative, detective etc) and also the need for some controls to assist staff development, but others to enforce sanctions particularly in cases of dishonesty or negligence.



Here is an example of an internal communications programme slightly adapted from an example in the COSO Framework.

Internal communications programme

  • Management discusses risks and associated risk responses in regular briefings with employees.
  • Management regularly communicates entity-wide risks in employee communications such as newsletters and an intranet.
  • Enterprise risk management policies, standards and procedures are made readily available to employees along with clear statements requiring compliance.
  • Management requires employees to consult with others across the organisation as appropriate when new events are identified.
  • Induction sessions for new employees include information and literature on the company’s risk management philosophy and enterprise risk management programme.
  • Existing employees are required to take workshops and/or refresher courses on the organisation’s enterprise risk management initiatives.
  • The risk management philosophy is reinforced in regular and ongoing internal communication programmes and through specific communication programmes to reinforce tenets of the company’s culture.


2.5 Problems of communication

Large companies, particularly those operating in several jurisdictions, may face particular problems when communicating with and training staff through local cultural and ethical filters. We shall discuss the influence of the country in which individuals work on their ethical attitudes in the next chapter.

Exam focus        The examiner has stressed the influence of cultural factors on control systems so, when assessing the point                strength of the control systems, it’s normally worth asking whether their effectiveness may vary due to differences in culture over the whole organisation.

3 Monitoring

FAST FORWARD             To be effective, monitoring by management needs to be ongoing and involve separate evaluation of systems. Deficiencies need to be communicated to all the appropriate people.

Key term         Monitoring ensures that internal control continues to operate effectively. This process involves

assessment by appropriate personnel of the design and operation of control on a suitable timely basis, and the taking of necessary actions. It applies to all activities within an organisation and sometimes to outside contractors as well.

Monitoring (means) that the entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both. (COSO)

In 2009 COSO published guidance on monitoring internal control systems.

                                 3.1 Aims of monitoring                                                           6/10

Monitoring should help ensure that internal controls continue to operate effectively and that systems produce accurate and reliable information. It involves the assessment of the design and operation of controls, and involves both ongoing monitoring and separate evaluations. If deficiencies are found, they should be reported, assessed and their root causes corrected. 

Correction of root causes may address why staff have made errors. In this case correction processes may include training, discipline or control redesign. It may involve implementing better controls when controls have been found to be inadequate. The aim of correcting root causes distinguishes monitoring procedures from control procedures. Control procedures seek only to correct errors.

The COSO guidance highlights two fundamental principles.

  • Ongoing monitoring and separate evaluation enable management to determine whether internal controls continue to function over time.
    • Ongoing monitoring includes routine review of reconciliations and system action applications. It may be particularly effective in smaller companies, since their managers will have high-level first-hand knowledge of the company’s activities. Their close involvement in operations should help them identify variances and inaccuracies.
    • Separate evaluation is generally carried out by the audit committee and internal audit, and also includes annual reviews of control procedures. Separate evaluation is likely to be more difficult if a company does not have an internal audit department, as review of control effectiveness within a business unit by a manager responsible for that unit will lack objectivity.
  • Internal control deficiencies should be identified and communicated to those responsible for taking corrective action, management and the board.

The COSO guidance emphasises that monitoring should relate to all control objectives, not just financial reporting objectives. It should evaluate the internal control system’s ability to manage or mitigate meaningful risks to organisational objectives.

If the operation of controls is not measured and monitored by management, their effectiveness may deteriorate over time as circumstances change. Different controls will need more monitoring over time as an organisation’s strategy develops, and the tolerances allowed by those controls will also need to change.

3.2 Role of information

As discussed in earlier sections of this chapter, effective information-gathering processes are an essential part of monitoring. The information provided needs to be suitable and sufficient. The COSO document highlights two types of information.

Direct  Clearly substantiates the operation of controls, obtained by observing and testing controls in operation. These techniques provide most effective evidence of control operation, as they occur frequently, are integrated with operations and provide direct information about control operation.
Indirect Other relevant information about operation of controls, including operating statistics, key risk and performance indicators. Seeking indirect information means identifying anomalies that indicate controls might fail to operate effectively. Indirect information will be more useful in stable situations, where risk assessment processes are effective.
3.3 Effective and efficient monitoring

Ineffective monitoring results in control breakdowns and material impacts on the organisation’s ability to achieve its objectives. Inefficient monitoring leads to a lack of focus on the areas of greatest need. Three elements influence the effectiveness and efficiency of monitoring:

  • Establishing a foundation for monitoring that includes a proper tone at the top, an effective organisational structure, a starting point or baseline of non-effective internal control
  • Designing and executing monitoring procedures based on prioritising risks and identifying persuasive information about the operation of key controls that mitigate the significant risks
  • Assessing and reporting results, which includes evaluating the severity of any identified deficiencies, prioritising findings, reporting to the correct level and following up on corrective action
3.4 Control environment

To be effective, the control environment elements that have to be in place are:

  • Emphasis at the top of the organisation about the importance of internal control
  • An organisational structure that places people with appropriate skills and authority, objectivity and competence in monitoring roles
3.4.1 Prioritising effective monitoring procedures

The COSO guidance stresses that the business’s overall risk assessment process will also influence the scope of monitoring. Key factors will include the size and complexity of the organisation, the nature of the organisation’s operations, the purpose for which monitoring is being conducted and the relative importance of the underlying controls. COSO provides helpful guidance on how organisations may vary their approach to monitoring.

Control importance Risks controls address Possible monitoring approach  
Highest High likelihood, high significance Ongoing monitoring using direct and indirect information, periodic separate evaluation of direct information
Moderate in short term Low likelihood, high significance Ongoing monitoring using indirect information, periodic separate evaluation of direct information
Control importance Risks controls address Possible monitoring approach 
Moderate in long term High likelihood, low significance Ongoing monitoring using direct and indirect information, less frequent separate evaluation of direct information
Lowest Low likelihood, low significance Relatively infrequent separate evaluations

To ensure monitoring has an appropriate risk-based focus, the organisation should establish a structure that firstly ensures that internal control is effective in a given area and focuses monitoring attention on areas of change. This structure will have the following elements.

Control baseline A reasonable basis for believing internal controls operate effectively
Change identification process  Identifying changes in processes or risks that indicate controls should have changed; monitoring should focus on the ability of the risk assessment procedures to identify changes in processes or risks that should result in changes in controls and should also assess whether indicators of change in control design and operation are effective
Change management process Verifying that the internal control systems have managed changes in controls effectively
Control reconfirmation Reconfirming control operation through separate evaluation
                                3.4.2 Communication structure for monitoring                           12/12

The results of monitoring need to be reported to the right people and corrective action taken. Deficiencies in internal controls should be reported to the person responsible for the control’s operation and to at least one level higher. The deficiencies need to be assessed in the same terms as risks, the likelihood that a control will fail to detect or prevent a risk’s occurrence and the significance of the potential impact of the risk.

Where control deficiencies are potentially significant, additional monitoring procedures may be needed during the correction period to protect against errors.

COSO’s guidance on controls over financial reporting stresses that effective communication of financial reporting deficiencies is essential. Deficiencies should not only be reported to management responsible but also to at least one level above. This should help ensure that effective action is taken to deal with problems.

Management should also develop a list of signs of control deficiencies that seriously threaten the reliability of financial reporting. If these are identified, they must be reported to senior management and the board. They include illegal or improper acts, significant loss of assets or evidence of previous improper external financial reporting.

3.5 Scale of monitoring

The size of the organisation and the complexity of its operations and controls will be key determinants.



The practical example given in the COSO guidance is a distinction between the purchase function in a large and small company. A company that has 20 people processing invoices, one of whom is not properly trained, may be able to operate for some time without material error. Senior management would not therefore be concerned. A company with only one person processing invoices cannot afford that person to be inadequately trained. Senior management monitoring on a day-to-day basis may be required.


3.6 Monitoring procedures

Monitoring procedures may include:

  • Periodic evaluation and testing of controls by internal audit
  • Continuous monitoring programs built into information systems
  • Analysis of, and appropriate follow-up on, operating reports or metrics that might identify anomalies indicative of a control failure
  • Supervisory reviews of controls, such as reconciliation reviews as a normal part of processing
  • Self-assessment by the board and management regarding the tone they set in the organisation and the effectiveness of their oversight functions
  • Audit committee enquiries of internal and external auditors
  • Quality assurance reviews of the internal audit department
3.6.1 Formality of monitoring

Increased formality will be required in larger organisations, where managers’ knowledge of day-to-day operational control activities is less. If the results of monitoring are being reported outside the organisation, monitoring will also need to be more formal. In particular the organisation will need to be able to provide evidence that supports the reports made.

Increased formality may include:

  • Processes to document and retain monitoring information
  • Policies and processes regarding aggregation, evaluation and reporting of deficiencies to the board, or to the audit and risk committees.



Mazda has separated the execution and management functions through the introduction of the executive officer system. These measures are intended to enhance management efficiency by helping the Board of Directors function more effectively as a supervisory body, enhancing the effectiveness of the Board’s deliberations and speeding up decision-making by delegation of authority to executive officers.

Mazda’s board of corporate auditors, the majority of whom are external auditors, is responsible for auditing business execution by the directors. The Global Auditing Department contributes to sound and efficient management by checking management’s targets, policies and plans, as well as compliance with laws and regulations.

As well as its board of directors, Mazda has established an executive committee to discuss policies and matters of importance. Mazda’s management advisory committee, consisting of the directors and leading external professionals from a diverse range of backgrounds, reviews the soundness and transparency of Mazda’s management practices.


4 Role of management in monitoring

FAST FORWARD             Management is responsible for the implementation of effective monitoring procedures. The board is responsible for ensuring a system of effective monitoring is in place, and for monitoring management’s activities.

4.1 Distinction between role of management and role of board

The UK Turnbull report draws a distinction between the role of senior (operational) management and the role of the board.

4.1.1 Role of management

Turnbull emphasises that monitoring forms part of management’s role to implement board policies on risk and control. Ongoing monitoring is an essential element of a sound system of internal control.

4.1.2 Role of board

Turnbull emphasises that the board cannot just rely on the management monitoring processes to discharge its responsibilities. It should regularly receive and review reports on internal control to ensure that management has implemented an effective monitoring system. It should also carry out an annual assessment that forms the basis of its report on internal controls.

Although the board need not understand the details of every management procedure, it should focus on controls performed directly by senior management, and controls designed to prevent or detect senior management override.

We shall examine the board’s role further in Section 7 of this chapter.

4.2 Qualities of management

COSO stresses the need for competence and objectivity in management monitoring.

4.2.1 Competence

This relates to managers’ knowledge of how controls operates and what constitutes an effective weakness. Managers must be able to identify the root causes and to do this they must have knowledge of the underlying control and the risks the control is designed to mitigate.

4.2.2 Objectivity

Different reviewers provide different levels of objectivity. Self-review, review of one’s own work, is obviously the least objective. Review by peers or superiors is more objective. Review by impartial evaluators is the most objective. Impartial evaluators may include internal auditors, people from other departments or external parties. However, because impartial evaluators are distant from the operation of controls, they tend to carry out separate evaluations rather than be involved in ongoing monitoring.

5 Internal audit

FAST FORWARD           The role of internal audit will vary according to the organisation’s objectives but is likely to include review of internal control systems, risk management, legal compliance and value for money.

Key term      Internal audit is an independent appraisal function established within an organisation to examine and

evaluate its activities as a service to the organisation. The objective of internal audit is to assist members of the organisation in the effective discharge of their responsibilities. To this end, internal audit furnishes

them with analyses, appraisals, recommendations, counsel and information concerning the activities

reviewed.                                                                 (UK Institute of Internal Auditors)

Internal audit is an appraisal or monitoring activity established by management and directors for the review of the accounting and internal control systems as a service to the entity. It functions by, among other things, examining, evaluating and reporting to management and the directors on the adequacy and effectiveness of components of the accounting and internal control systems.

(UK Financial Reporting Council)

You covered the work of internal audit in Paper F8. This section summarises briefly the role of internal audit. It concentrates on the main issues for this exam, the independence of internal audit and its significance as part of the control and risk management systems.

                                 5.1 The need for internal audit                                          12/08

The Turnbull report in the UK stated that listed companies without an internal audit function should annually review the need to have one, and listed companies with an internal audit function should annually review its scope, authority and resources.

Turnbull states that the need for internal audit will depend on:

Scale, diversity and complexity of the company’s operations The more complex the operations, the more that can go wrong. Also, the greater the need for an independent internal audit department to look at the system as a whole, to see if risk management and internal controls are appropriately focused. In addition, where there is close scrutiny of the company’s operations by regulators with the power to remove the company’s licence to operate, the case for internal audit is much stronger.
Number of employees Number of employees is generally used as a proxy for size. Investors would expect that the larger the company, the more formal the systems of internal control, including a separate internal audit department. A larger company may have complex reporting lines and it may have less shared culture between different locations.
Cost-benefit considerations As with other controls, the costs of internal audit (salary, management time lost dealing with internal audit) should not outweigh the benefits. The benefits however may be difficult to quantify (how do you quantify the errors that internal audit has prevented).
Changes in organisational structure A simplification of the organisational structure may often lead to a slimming down of the internal audit department. However, a slimming down should really mean the opposite. The removal of the checks and balances implied by a bureaucratic structure would seem to increase the need for an effective internal audit function.
Changes in key risks If the business is developing in new areas, an internal audit assessment of how effectively it is handling consequent changes in risk can be very significant.
Problems with internal control systems Internal audit assessment would help to determine how serious these problems are and what can be done to resolve them.
Increased number of unexplained or unacceptable events  This applies not just to events that cause problems with the accounting records but also to problems that delay production or result in inferiorquality goods or services. The costs of internal audit may need to be weighed against the possibilities of lost sales.

Although there may be alternative means of carrying out the routine work of internal audit, those carrying out the work may be involved in operations and hence lack objectivity.

It seems likely that once the task of reviewing internal control and risk management systems becomes complex, a skilled and objective internal audit team will be needed to give the audit committee the evidence it needs about how systems are working.



The PwC report Internal Audit 2012 suggests ten imperatives for a high-performance internal audit function in the future.

  • Strategic stature within the organisation. The chief audit executive should ensure that priorities align with the wishes of the audit committee and management and should be a trusted adviser to key stakeholders.
  • Development and update of strategic plan aligned with objectives and stakeholder expectations. The plan should indicate how internal audit will develop and be organised to deliver service, and suggest specific goals or strategic initiatives to bridge capability gaps.
  • Communication with key stakeholders. In particular there should be regular dialogue with the audit committee chairman and external auditors.
  • Align HR strategies with enterprise and stakeholder needs. This means internal audit ensuring that skills gaps relating to new and emerging skills are bridged.
  • Focus continually on enterprise risks. As well as testing controls, internal auditors ought to focus on the risks themselves, keeping management informed about risk exposures and conducting an annual enterprise-wide risk assessment, which feeds into the audit plan. Risk assessments need to be transparent, aligned with business units and involve external audit as well as internal management.
  • Integrated approach to IT audit. There should be an annual IT risk assessment, which addresses risks within business processes and seeks to enhance IT audit capabilities. The IT audit plan needs to be aligned with organisational IT strategies and objectives.
  • Use of technology to improve efficiency, effectiveness and quality. This includes automating tracking and reporting, testing populations automatically and using technology to conduct real-time reviews.
  • Development of knowledge management plan. The aim of this plan should be to make internal audit knowledge and expertise available to other internal auditors and business unit and enterprise management.
  • Commitment to continuous quality assurance. There should be a quality improvement programme and external assessment of performance and benchmarking.
  • Link performance measures to strategic goals. This means in particular using a balanced scorecard approach to track performance to the strategic plan.


                                 5.2 Objectives of internal audit                                           6/10

The role of the internal auditor has expanded in recent years as internal auditors seek to monitor all aspects (not just accounting) of organisations, and add value to their employers. The work of the internal auditor is still prescribed by management, but it may cover the following broad areas.

  • Review of the accounting and internal control systems. The establishment of adequate accounting and internal control systems is a responsibility of management and the directors. Internal audit is often assigned specific responsibility for the following tasks.
    • Reviewing the design of the systems
    • Monitoring the effectiveness of the operation of the systems by risk assessment and detailed testing
    • Recommending cost-effective improvements

Review will cover both financial and non-financial controls.

  • Examination of financial and operating information. This may include review of the means used to identify, measure, classify and report such information and specific enquiry into individual items including detailed testing of transactions, balances and procedures.
  • Review of the economy, efficiency and effectiveness of operations. In the public sector especially this helps to determine whether or not value for money has been achieved.
  • Review of compliance. This should be carried out in relation to laws, regulations and other external requirements, with internal policies and directives, and with other requirements including appropriate authorisation of transactions.
  • Review of the safeguarding of assets. Are valuable, portable items such as computers or cash secured, is authorisation needed for dealing in investments?
  • Review of the implementation of corporate objectives. This includes review of the effectiveness of planning, the relevance of standards and policies, the organisation’s corporate governance procedures and the operation of specific procedures such as communication of information.
  • Identification of significant business and financial risks. This involves monitoring the organisation’s overall risk management policy to ensure it operates effectively, and monitoring the risk management strategies to ensure they continue to operate effectively.
  • Special investigations. These can be carried out in particular areas, for example suspected fraud.

It is inevitable that internal audit will focus on operational controls. In some companies, however, the problem may be a failure of strategic level controls, due to management override of controls or poor strategic decision-making. However, internal audit’s role in relation to strategic controls will be limited, as most checking procedures have been followed at board level. The board must ultimately be responsible for the operation of strategic controls.

You may need to apply your knowledge of what internal audit does to argue in favour of a particular organisation establishing an internal audit function.
Exam focus point
                                  5.3 Risk auditing                                                                       6/14

Risk-based audits are a development of systems audits. Auditors will be concerned to see that managers have put in place risk assessment processes that are capable of identifying risks on a timely basis, and have designed robust risk management processes and internal control systems. Auditors will attempt to confirm that these risk management processes and controls operate to mitigate risks and ensure that management receives accurate information about risks, particularly high consequences-likelihood risks, risks outside the organisation’s risk appetite or risks that have materialised due to serious deficiencies in internal control. Risk audits are not compulsory for all organisations, although in some regulated industries (banking and financial services) a form of ongoing risk assessment and audit is compulsory in most jurisdictions.

Internal audit’s work will be influenced by business objectives, the risks that may prevent the organisation achieving its objectives and the organisation’s attitude towards risk (that is, its degree of risk acceptance or risk aversion).

The main stages of the risk audit are:

  • Identification of risks

Risk auditors need to identify what risks are relevant to the work they will be required to do.

  • Assessment of risks

The auditors need to obtain evidence of the probability of those risks crystallising and their likely impact. Where the risk management framework is insufficient, auditors will have to rely on their own risk assessment and recommend an appropriate framework. Where an adequate framework for risk management and control is embedded in operations, auditors will aim to use management assessment of risks and concentrate on auditing the risk management processes.

  • Review of management and controls

The auditors will assess the operation and effectiveness of the risk management processes and the internal controls in operation to limit risks. A comprehensive risk audit will extend to the risk management and control culture.

  • Reporting

Reporting will mostly be to the board, or to the audit or risk committee. The report will concentrate on the extent of the key risks, the quality of existing assessment procedures and the effectiveness of controls.

                                 5.3.1 Internal or external risk auditing?                            12/09, 6/14

If internal auditors carry out the audit, they should be familiar with the organisation, its systems and procedures, its culture and the regulations that affect it. The internal auditors should be able to carry out a well-targeted audit and report in a way that is appropriate and helpful for the organisation.

However, internal auditors may suffer from the disadvantages of lack of independence and overfamiliarity. An internal audit may be undermined by internal politics and divisions. An external auditor can provide an unbiased, fresh view. A risk audit carried out by external auditors should give a higher degree of confidence to external stakeholders. It is also possible that external auditors’ knowledge of best practice and current developments may be more up to date. The external auditor may have a better awareness of certain risks than internal auditors do.

If you are asked in the exam about the areas where internal audit should focus, you should consider the concerns outlined in the scenario. For example, in a highly regulated business where compliance failures are a significant business risk, internal audit is likely to focus on compliance work.

Exam focus point


COSO stresses the role of internal auditors in adding value.

  • Reviewing critical control systems and risk management processes
  • Performing an effectiveness review of management’s risk assessment and internal controls
  • Providing advice in the design and improvement of control systems and risk mitigation strategies
  • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies
  • Providing advice on enterprise risk management
  • Defining risk tolerances


5.4 Independence of internal audit

Auditors should be independent of the activities audited.

Although an internal audit department is part of an organisation, it should be independent of the line management whose sphere of authority it may audit.

5.4.1 Audit process

A lack of independence can mean that audits cannot be carried out to the extent and effectiveness desired. Internal auditors may not be able to examine all the areas they’d like to, or determine how the areas selected will be audited. They may feel inhibited from carrying out certain procedures for fear of upsetting powerful or vocal managers or staff.

In addition, internal audit will be trusted more by managers and staff, and therefore are more likely to have sensitive information disclosed to them, if they are felt to be independent.

5.4.2 Value of recommendations

Internal audit’s recommendations will only be valuable if they are influenced solely by what they find, and not biased by other factors. Factors that can distort the judgements which internal audit make include a willingness to take sides, motives of personal advantage or a desire to use the audit to confirm their own previous judgements (for example a dislike of certain individuals).

5.4.3 Increased costs of internal audit

Clearly if internal audit produce recommendations that are flawed because they reflect the auditors’ lack of independence, the costs of their salaries will be wasted. In addition, costs will ratchet up if management uses internal audit’s recommendations as the basis for decisions about risk management. Risks unnecessarily highlighted by internal audit may be over-managed, incurring excessive costs. Risks that are not highlighted by internal audit when they should have been may materialise, causing significant losses for the organisation.  

5.4.4 Confidence in recommendations

Line managers will be less willing to implement internal audit recommendations if they believe that internal audit is biased against them.



Objectivity Judgements made in a state of detachment from the situation or decision
Impartiality Not taking sides, in particular not being influenced by office politics in determining the work carried out and the reports given
Unbiased views Avoiding the perception that internal audit is out to ‘hit’ certain individuals or departments
Valid opinion The audit opinion should be based on all relevant factors, rather than being one that pleases everyone
No spying for management Again internal audit should serve the whole organisation. Managers who want their staff targeted might be trying to cover up their own inadequacies
No no-go areas Being kept away from certain areas will fatally undermine the usefulness of internal audit and mean that aggressive (incompetent?) managers are not checked
Sensitive areas audited Internal audit must have the abilities and skills to audit complex areas effectively
Senior management audited Internal audit must cover the management process and not just audit the detailed operational areas
No backing off Audit objectives must be pursued fully in a professional manner and auditors must not allow aggressive managers to deflect them from doing necessary work and issuing valid opinions

Spencer Pickett in the Internal Auditing Handbook suggests that the concept of independence involves a number of key qualities.


5.5 Threats to independence
5.5.1 Involvement in systems design

If internal audit has been involved in the design of systems, it is very doubtful that they can audit what they have recommended.

5.5.2 Overfamiliarity

As a result of working for the same organisation, and being involved with the same issues, internal auditors may develop close professional or personal relationships with the managers and staff they are auditing. This may well make it very difficult to achieve independence. This particularly applies to staff who come into internal audit from operational departments. There may also be the risk of self-review – that they review work that they have previously done for operational departments.

As we shall see in Chapter 9, an organisation’s culture and informal networks of staff can have a big influence on individuals’ attitudes to ethics.

5.5.3 Reporting relationships

The principle that internal audit should be independent of the line management whose sphere of authority it audits ideally should extend to internal audit being independent of the finance director.

The reason for this is best seen by thinking about what could happen if the internal audit department reported some kind of irregularity to a finance director without realising that the finance director was actually involved. The director would take the report and decide that it was all very interesting, but not worth pursuing. A very different line might be taken by another, independent director!

You may encounter other threats in the exam, possibly linked to the factors described in the case example above. However, the point about whether internal audit should report to the finance director may come up regularly in this exam.

Exam focus point

5.6 Dealing with threats to independence

Independence of internal auditors can be achieved by the following.

  • The department should report to the board or to a special audit committee and not to the finance director (discussed further later in this chapter).
  • Management should ensure staff recruited to internal audit internally do not conduct audits on departments in which they have worked.
  • Where internal audit staff have also been involved in designing or implementing new systems, they should not conduct post-implementation audits.
  • Internal auditors should have appropriate scope in carrying out their responsibilities, and unrestricted access to records, assets and personnel.
  • Rotation of staff over specific departmental audits should be implemented.
5.6.1 Review and consultancy

Consultancy projects (one-off projects designed to address ad-hoc issues) are playing an increasing role in the work of internal audit. Taking on these projects enables internal auditors to extend their skills and the organisation to draw on the knowledge of internal auditors. However, there are dangers in becoming too involved in consultancy projects.

  • Internal audit staff may be diverted to consultancy projects, and the regular audit reviews may be inadequately resourced.
  • By taking on consultancy projects and suggesting solutions, internal audit could be getting too involved in operational concerns. There is a serious potential lack of independence if internal audit has to review solutions that internal audit staff have provided.
  • Management is relying on internal audit to solve problems instead of having operational staff and managers solve or preferably prevent them.

Certain steps therefore need to be taken in order to avoid these problems.

  • The terms of reference of the internal audit department (the main responsibilities) should draw a clear distinction between regular audit services and consultancy work.
  • Enough resources for regular work should be guaranteed. Consultancy work should be separately resourced and additional resources obtained if necessary.
  • If managers are concerned about improving controls, reviewing these improvements can legitimately be included in the work of internal audit.
  • Regular audit reviews and consultancy projects can be undertaken by different staff.
  • If consultancy work identifies serious control deficiencies, these must be incorporated into internal audit reviews as high risk areas.
5.7 Recruiting internal auditors

The decision about where to recruit internal auditors from will partly depend on the skills available internally and externally. Clearly an internal recruit has familiarity with the organisation that an external recruit would lack. However, there are a number of arguments in favour of recruiting externally.

5.7.1 Other experience

An external recruit can bring in fresh perspectives gained from working elsewhere. They can use their experience of other organisations’ problems to identify likely risk areas and recommend practical solutions and best practice from elsewhere.

5.7.2 Independence of operational departments

An internal recruit is likely to have built up relationships and loyalties with people whom they have already worked, perhaps owing people favours. Equally they could have grievances or have come into conflict with other staff. These could compromise their independence when they come to audit their departments.

5.7.3 Prejudices and biases

An internal recruit is likely to have absorbed the perspectives and biases of the organisation, and thus be more inclined to treat certain individuals or departments strictly, while giving others the benefit of the doubt when it may not be warranted.

A question issued by the examiner asked students to argue in favour of appointing an internal auditor from outside the company.

Exam focus point

5.8 Differences between internal and external audit

The following table highlights the differences between internal and external audit.

  Internal audit External audit
Purpose Internal audit is an activity designed to add value to and improve an organisation’s operations. Its work can cover any aspect of an organisation’s business or operations, and is not just concerned with issues affecting the truth and fairness of the financial statements. Internal audit will mean different things in different organisations. External audit is an exercise to enable auditors to express an opinion on the financial statements.
  Internal audit External audit
Reporting to Internal audit reports to the board of directors, or others charged with governance, such as the audit committee. The external auditors report to the shareholders, or members, of a company on the stewardship of the directors.
Relating to Internal audit’s work relates to the operations of the organisation. External audit’s work relates to the financial statements. They are concerned with the financial records that underlie these.
Relationship with the company Internal auditors are very often employees of the organisation, although sometimes the internal audit function is outsourced. External auditors are independent of the company and its management. They are appointed by the shareholders.

The table shows that although some of the procedures that internal audit undertake are very similar to those undertaken by the external auditors, the whole basis and reasoning of their work is fundamentally different.

The difference in objectives is particularly important. Every definition of internal audit suggests that it has a much wider scope than external audit, which has the objective of considering whether the accounts give a true and fair view of the organisation’s financial position.

5.9 Quality control and internal auditing

Whatever the criteria used to judge effectiveness, quality control procedures will be required to monitor the professional standards of internal audit. Internal audit departments should establish and monitor quality control policies and procedures designed to ensure that all audits are conducted in accordance with internal standards. They should communicate those policies and procedures to their personnel in a manner designed to provide reasonable assurance that the policies and procedures are understood and implemented.

Quality control policies will vary depending on factors such as the following.

  • The size and nature of the department
  • Geographic dispersion
  • Organisation
  • Cost-benefit considerations

Policies and procedures and related documentation will therefore vary from company to company.

The Institute of Internal Auditors has suggested that a formal system of quality assurance should be implemented in the internal audit department. This should cover the department’s compliance with appropriate standards, encompassing quality, independence, scope of work, performance of audit work and management of the internal audit department.

5.10 Annual review of internal audit

The board or audit committee (discussed in Section 6) should conduct an annual review of the internal auditors’ work. The reviews should include the following areas.

5.10.1 Scope of work

The review will be particularly concerned with the work done to test:

  • The adequacy, effectiveness and value for money of internal control
  • Risk assessment and management processes
  • Compliance with laws, regulations and policies
  • Safeguarding of assets
  • Reliability of information
  • Value for money
  • Attainment of organisation’s objectives and goals

It should be possible to see from the plans submitted by internal audit to the audit committee that internal audit’s work forwards the organisation’s aims and that internal audit is responsive to organisational change.

5.10.2 Authority

The review should cover the formal terms of reference and assess whether they are adequate.

It should consider whether there are senior personnel in the organisation who can ensure that the scope of internal audit’s work is sufficiently broad and that there is adequate consideration of audit reports and appropriate action taken as a result of audit findings and recommendations.

5.10.3 Independence

The review should consider carefully whether there are adequate safeguards in place to ensure the independence of internal audit. These include reporting by the head of internal audit to the audit committee, dismissal of the head of internal audit being the responsibility of the board or audit committee, internal auditors not assuming operational responsibilities and internal auditors being excluded from systems, design, installation and operation work.

5.10.4 Resources of internal audit

Again the review should consider the documentation provided by internal audit and confirm that resourcing plans indicate that there will be sufficient resources to review all areas. This should be assessed in terms of not just the hours set aside but also physical resources such as computers and also of course the necessary knowledge, skills and experience.

Exam focus         The annual review of internal audit is a likely subject of a part-question in the exam. point

6 Audit committee 12/08, 06/13, 6/15
6.1 Role and function of audit committee  


An audit committee of independent non-executive directors should liaise with external audit, supervise internal audit and review the annual accounts and internal controls.

Exam focus       Audit committees are very significant because of their responsibilities for supervision and overall review.

point                       In particular they should have a close interest in the work of internal audit and internal audit should have unrestricted access to the audit committee.

Audit committees are now compulsory for companies trading on the New York Stock Exchange.

In order to be effective, the audit committee has to be well staffed. The UK Smith report recommends that the audit committee should consist entirely of independent non-executive directors (excluding the

chairman), and should include at least one member with significant and recent financial experience. The Singapore code suggests that at least two members should have accounting or related financial management expertise.

The Cadbury report summed up the benefits that an audit committee can bring to an organisation:

‘If they operate effectively, audit committees can bring significant benefits. In particular, they have the potential to:

  • Improve the quality of financial reporting, by reviewing the financial statements on behalf of the Board
  • Create a climate of discipline and control which will reduce the opportunity for fraud
  • Enable the non-executive directors to contribute an independent judgement and play a positive role
(d) Help the finance director, by providing a forum in which he can raise issues of concern, and which he can use to get things done which might otherwise be difficult
(e) Strengthen the position of the external auditor, by providing a channel of communication and forum for issues of concern
(f) Provide a framework within which the external auditor can assert his independence in the event of a dispute with management
(g) Strengthen the position of the internal audit function, by providing a greater degree of independence from management
(h) Increase public confidence in the credibility and objectivity of financial statements.’

There are, however, some possible drawbacks with an audit committee:

  • Since the findings of audit committees are rarely made public, it is not always clear what they do or how effective they have been in doing it.
  • The audit committee’s approach may act as a drag on the drive and entrepreneurial flair of the company’s senior executives.
  • The Cadbury report warned that the effectiveness of the audit committee may be compromised if it acts as a ‘barrier’ between the external auditors and the main (executive) board.
  • The Cadbury committee also suggested that the audit committee may be compromised if it allows the main board to ‘abdicate its responsibilities in the audit area’, as this will weaken the board’s responsibility for reviewing and approving the financial statements.
  • The audit committee may function less effectively if it falls under the influence of a dominant board member, particularly if that board member is the only committee member with significant financial knowledge and experience.


The main duties of the audit committee are likely to be as follows.

6.2 Review of financial statements and systems

The committee should review both the quarterly/interim (if published) and annual accounts. This should involve assessment of the judgements made about the overall appearance and presentation of the accounts, key accounting policies and major areas of judgement.

As well as reviewing the accounts, the committee’s review should cover the financial reporting and budgetary systems and controls. This involves considering performance indicators and information systems that allow monitoring of the most significant business and financial risks, and the progress towards financial objectives. The systems should also highlight developments that may require action (for example large variances), and communicate these to the right people. The audit committee also needs to consider carefully the control systems that underpin accurate financial reporting by ensuring that information is correct and complete. This will mean considering the personnel and organisational structure issues discussed in Chapter 5, the controls in place to guarantee information is correct or detect errors discussed in Chapter 7, and the responsibilities for providing information discussed earlier in this chapter.

                                 6.3 Review of internal control                                6/11, 12/14

The audit committee should play a significant role in reviewing internal control.

  • Committee members can use their own experience to monitor continually the adequacy of internal control systems in mitigating risks, focusing particularly on the control environment, management’s attitude towards controls and overall management controls.
  • The audit committee’s review should cover legal compliance and ethics, for example listing rules or environmental legislation. Committee members should check that there are systems in place to promote compliance. They should review reports on the operation of codes of conduct and investigate violations.
  • The audit committee must actively monitor the effectiveness of control over financial reporting and needs to demonstrate professional scepticism when doing so.
  • The committee should also address the risk of fraud, ensuring that employees are aware of risks and that there are mechanisms in place for staff to report fraud, and fraud to be investigated.
  • Each year the committee should be responsible for reviewing the company’s statement on internal controls prior to its approval by the board.
  • The committee should consider the recommendations of the auditors in the management letter and management’s response. Because the committee’s role is ongoing, it can also ensure that recommendations are publicised and see that actions are taken as appropriate.
  • The committee may play a more active supervisory role, for example reviewing major transactions for reasonableness.
6.4 Review of risk management

The audit committee can play an important part in the review of risk recommended by the Turnbull report. This includes confirming that there is a formal policy in place for risk management and that the policy is backed and regularly monitored by the board. The committee should also review the arrangements, including training, for ensuring that managers and staff are aware of their responsibilities. Committee members should use their own knowledge of the business to confirm that risk management is updated to reflect current positions and strategy. The extent of their work may depend on whether there is a separate risk management committee (see Chapter 5).

6.5 Liaison with external auditors

The audit committee’s tasks here will include:

  • Being responsible for the appointment or removal of the external auditors as well as fixing their remuneration.
  • Considering whether there are any other threats to external auditor independence. In particular the committee should consider non-audit services provided by the external auditors, paying particular attention to whether there may be a conflict of interest.
  • Discussing the scope of the external audit prior to the start of the audit. This should include consideration of whether external audit’s coverage of all areas and locations of the business is fair, and how much external audit will rely on the work of internal audit.
  • Acting as a forum for liaison between the external auditors, the internal auditors and the finance director.
  • Helping the external auditors to obtain the information they require and in resolving any problems they may encounter.
  • Making themselves available to the external auditors for consultation, with or without the presence of the company’s management.
  • Dealing with any serious reservations which the external auditors may express either about the accounts, the records or the quality of the company’s management.
6.6 Oversight of internal audit

The audit committee needs to oversee the work of internal audit and ensure its work supports the company’s strategic objectives and the compliance needs of the company.

6.6.1 Reporting relationship

Internal audit normally reports to the audit committee for the following reasons.

  • Independence

The fact that internal audit is reporting to a committee of independent non-executive directors itself helps guarantee internal audit’s independence. As they are not involved in day-to-day management, committee members will have no self-interest in diverting internal audit’s attention away from their area of the business. The audit committee should be able to take steps to ensure that internal audit remains independent and that its work is not compromised by pressure from operational management. This particularly applies if internal audit needs to review higher-level strategic matters which are likely to be the responsibility of very senior management.

  • Strategic oversight

Having internal audit report to the audit committee makes clear the responsibility the committee has for determining the strategy adopted by internal audit. The committee should help internal audit fulfil some of the objectives discussed in the Internal Audit 2012 report covered above to deliver services and specific goals, including being responsive to the views and needs of different stakeholders. The committee also needs to take decisions about the level of resources available to internal audit and where these resources should be employed. This is a subsidiary part of its general responsibility to look at whether internal controls are effective, internal audit being a control just like any other.

  • Authority

We discussed earlier the need for internal audit to have whatever access is necessary to people and documents and that there should be no no-go areas. The backing of the audit committee should reinforce the authority that internal audit has to enforce its demands.  

  • Role of audit committee

Internal audit provides the evidence that informs the reviews of financial statements, internal control and risk management that the audit committee undertakes.

  • Monitoring of internal audit

Monitoring the role of internal audit forms part of the audit committee’s involvement in the overall monitoring process carried out by the board, discussed earlier in this chapter. The annual review of internal audit, discussed in Section 5, will be a key part of this monitoring process.

  • Ensuring action taken

The audit committee should provide a forum for internal audit’s conclusions to be considered fairly. It can also follow up the reports of internal audit by obtaining evidence of whether its recommendations have been implemented. It has the authority to hold managers accountable if they have failed to take action.     

6.6.2 Annual review of internal audit

The review should cover the formal terms of reference and assess whether they are adequate.

It should also cover the following aspects of internal audit.

  • Standards including objectivity, technical knowledge and professional standards
  • Scope including how much emphasis is given to different types of review
  • Resources – is the number of staff hours enough and are the technical and personal skills of the staff collectively sufficient for the work they are required to do?
  • Reporting arrangements
  • Work plan, especially review of controls and coverage of high risk areas
  • Liaison with external auditors
  • Results

The head of internal audit should have direct access to the audit committee.

6.7 Investigations

The committee will also be involved in implementing and reviewing the results of one-off investigations.


UK guidance recommends that audit committees should be given specific authority to investigate matters of concern, and in doing so have access to sufficient resources, appropriate information and external professional help.

7 Board monitoring and reporting


Boards should review risks and the effectiveness of internal controls regularly.

Boards should carry out an annual review that looks more widely at risks faced and control systems and also at how these issues should be reported.

7.1 Significance of board review

We have mentioned throughout the last few chapters the importance of manager review of internal controls and the results of internal audit work obviously play a major part in this review. In the last section of this chapter we shall look in more detail at management’s review of internal controls, since it is effectively the last stage of the audit process.

7.2 Review of internal controls

The UK Turnbull committee suggests that review of internal controls should be an integral part of the company’s operations. The board, or board committees, should actively consider reports on control issues from others operating internal controls.

In order to be able to carry out an effective review, boards should regularly receive and review reports and information on internal control, concentrating on:

  • What the risks are and strategies for identifying, evaluating and managing them
  • The effectiveness of the management and internal control systems in the management of risk, in particular how risks are monitored and how any deficiencies have been dealt with
  • Whether actions are being taken to reduce the risks found
  • Whether the results indicate that internal control should be monitored more extensively
  • What sort of information would help the board carry out an effective review of internal control?
  • What sort of employee attitudes would help or hinder an effective review of internal control?

(a)       The UK’s Institute of Internal Auditors suggests that the board needs to consider the following information in order to carry out an effective review.

  • The organisation’s Code of Business Conduct (if it has one – see Chapter 10)
  • Confirmation that line managers are clear as to their objectives
  • The overall results of a control self-assessment process by line management or staff
  • Letters of representation (‘comfort letters’) on internal control from line management

(confirmations about the operation of systems or specific transactions)

  • A report from the audit committee on the key procedures which are designed to provide effective internal control
  • Reports from internal audit on audits performed
  • The audit committee’s assessment of the effectiveness of internal audit
  • Reports on special reviews commissioned by the audit committee from internal audit or others
  • Internal audit’s overall summary opinion on internal control
  • The external auditors’ report on deficiencies in the accounting and internal control systems and other matters, including errors, identified during the audit
  • Intelligence gathered by board members during the year
  • A report on avoidable losses by the finance director
  • A report on any material developments since the balance sheet date and up to the present
  • The board’s proposed wording of the internal control report for publication (b) The following employee attitudes will be relevant.

Response to management behaviour 

Employees may take controls with the same degree of seriousness that management does. They will take into account how strictly controls are applied by senior managers, whether senior managers override controls, and whether follow-up action is taken by management if control deficiencies are identified.

Realism of controls

If employees see controls as unrealistic because for example there is insufficient time to operate them, they may not take management review of controls seriously.

Employee collusion

If employees do collude, the evidence available to management may be undermined. Collusion may not necessarily be hiding fraud. It could be a shared intention to thwart what is seen as unnecessary bureaucracy. The fact for example that there are two signatures on a document does not necessarily mean that it has been checked properly.

Focus on certain controls 

If a lot of emphasis is placed on certain controls, reports on which the annual review is based will stress the operation of those controls and provide less detail of other controls that are also significant.


Many employees may feel that controls are bureaucracy and as such interfere with more important day-to-day work. This may mean for example that controls are not operated when they should be but some time later, and so the evidence the annual review is relying on may not be as strong as it appears.

Reliance on memory

Some controls may be dependent on knowledge held in the mind of employees. The employees concerned may be happy about this because it reinforces their position, but it can lead to a lack of clarity about whether controls have operated, and also inconsistency and misunderstanding when controls depend on the attitudes of the person operating them.



Risk assessment  •      Does the organisation have clear objectives and have they been communicated to provide direction to employees (examples include performance targets)?

•      Are significant risks identified and assessed on an ongoing basis?

•      Do managers and employees have a clear understanding of what risks are acceptable?

Control environment and

control activities 

•      Does the board have a risk management policy and strategies for dealing with significant risks?

•      Do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and control systems?

•      Does senior management demonstrate commitment to competence, integrity and fostering a climate of trust?

•      Are authority, responsibility and accountability clearly defined?

•      Are decisions and actions of different parts of the company appropriately  co-ordinated?

•      Does the company communicate to its employees what is expected of them and the scope of their freedom to act?

•      Do company employees have the knowledge, skills and tools necessary to support the company’s objectives and manage risks effectively?

•      How are processes and controls adjusted to reflect new or changing risks or operational deficiencies?

Information and communication •      Do managers receive timely, relevant and reliable reports on progress against business objectives and risks to provide the information needed for decisionmaking and review processes?

•      Are information needs and systems reassessed as objectives and related risks change or reporting deficiencies are identified?

•      Do reporting procedures communicate a balanced and understandable account of the company’s position and prospects?

•      Are there communication channels for individuals to report suspected breaches of law or regulations or other improprieties?

Monitoring  •      Are there ongoing embedded processes for monitoring the effective application of the policies, processes and activities relating to internal control and risk management?

•      Do these processes monitor the company’s ability to re-evaluate risks and adjust controls effectively in response to changes in objectives, business and environment?

•      Are there effective follow-up procedures to ensure action is taken in response to changes in risk and control assessments?

•      Are there specific arrangements for management monitoring and reporting to the board matters of particular importance (including fraud or illegal acts)?

In an appendix Turnbull provides more detailed guidance on what should be assessed as part of the regular review of internal controls:

7.3 Annual review of controls

In addition, when directors are considering annually the disclosures they are required to make about internal controls, the Turnbull report states they should conduct an annual review of internal control. This should be wider ranging than the regular review. In particular, it should cover:

  • The changes since the last assessment in risks faced, and the company’s ability to respond to changes in its business environment
  • The scope and quality of management’s monitoring of risk and internal control and of the work of internal audit, or consideration of the need for internal audit if the company does not have it
  • The extent and frequency of reports to the board
  • Significant controls, failings and deficiencies with material impacts on the accounts
  • The effectiveness of the public reporting processes
7.4 Internal risk reporting

Risk reporting needs to cover all stages of the risk management system and be carried out on a systematic, regular basis. The system also needs to ensure that significant changes in the risk profile are notified quickly to senior management. Reporting of high impact-likelihood risks may occur daily; other risks may be reported monthly or quarterly. The risk register is a key document in risk reporting, not only in terms of identifying risks but also in allocating responsibility for managing, monitoring and reporting.

Reports should show the risk levels before controls are implemented and the residual risk after controls are taken into account.

Reporting also needs to include comparisons of actual risks against predicted risks and feedback on the action taken to manage and reduce risks that the system has identified.

  • Have the actions taken fulfilled their objectives?
  • What further action is needed?
  • Have the costs of taking action justified the benefits?

If risks have not been managed effectively at lower levels of the organisation, senior management may need to take a more active role.

As it will not be worthwhile to eliminate all risks, the reporting system needs to highlight residual risks, the remaining exposure to risk after appropriate management action has been taken.

7.5 External reporting on risk management and internal controls

                                                                                                                          6/08, 12/10

Stricter requirements on external reporting have been introduced over the last ten years because of the contribution of internal control failures to corporate scandals. The requirements have tried to address the concerns of shareholders and other stakeholders that management has exercised proper control.

June 2008 Question 4 asked about the contents of a report on internal controls, and whether reporting was unnecessary for small companies.
Exam focus point

Per the UK Turnbull report, the board should disclose in the accounts as a minimum the existence of a process for managing risks, how the board has reviewed the effectiveness of the process and that the process accords with the Turnbull guidance. The board should also include:

  • An acknowledgement that they are responsible for the company’s system of internal control and reviewing its effectiveness
  • An explanation that such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss
  • A summary of the process that the directors (or a board committee) have used to review the effectiveness of the system of internal control and consider the need for an internal audit function if the company does not have one; there should also be disclosure of the process the board has used to deal with material internal control aspects of any significant problems disclosed in the annual accounts
  • Information about those deficiencies in internal control that have resulted in material losses, contingencies or uncertainties which require disclosure in the financial statements or the auditor’s report on the financial statements

The information provided must be meaningful, taking an overall, high-level view. It must also be reliable. The work of the internal audit and audit committee can help ensure reliability.

Although the Turnbull report was issued in the UK, it can be regarded as setting out best practice on board review and reporting for most jurisdictions.
Exam focus point


Diageo, the global premium drinks business, disclosed risks under the following headings in its 2011 accounts.

  • Competition reducing market share and margins
  • Not deriving expected benefits from strategy of focusing on premium drinks or its cost-saving and restructuring programmes
  • Not deriving expected benefits from systems change programmes and disruption caused by systems failures
  • Regulatory decisions and changes resulting in increased costs and liabilities, or limitation of business activities
  • Having to fight litigation directed at the beverage industry or other litigation
  • Contamination, counterfeiting or other circumstances affecting brand support
  • Decreased demand due to changes in consumer preferences and tastes, or declining economy
  • Decreased demand due to decline in social acceptability of products
  • Adverse effect on business due to unfavourable local economic conditions or political or other developments
  • Poorer results due to increased costs or shortages of labour
  • Increases in the cost of raw materials or energy
  • Poorer results due to disruption to production facilities, business service centres or information systems or change programmes not delivering intended benefits
  • Adverse impact on business or operations of climate change or regulatory market measures to address climate change
  • Adverse impact on production costs and capacity of water scarcity or poor quality
  • Poorer results due to movements in value of pension funds, fluctuations in exchange rates and fluctuations in interest rates
  • Disruption to operations caused by failure to renegotiate distribution, supply, manufacturing or licensing arrangements
  • Inability to protect intellectual property rights
  • Inability to enforce judgements of US courts against directors based outside the US

Diageo’s corporate governance statement includes a general statement on risks and internal controls. It stresses that the business is aiming to avoid or reduce risks that can cause loss, reputational damage or business failure. Nevertheless the company aims to control business cost effectively and exploit profitable business opportunities in a disciplined way. Each year risk is assessed as an integral part of strategic planning by:

  • All significant business units
  • The Diageo executive committee

These assessments are reviewed by relevant executives and the audit and risk committees. The committees gain assurance from:

  • Summary information in relation to the management of identified risks
  • Detailed review of the management of selected key risks
  • The work of the audit and risk function

Risk assessment also covers major business decisions and initiatives and significant operational risks such as health and safety, product quality and environmental risk management.

There is also specific detail on how such treasury risks as currency, interest rate, liquidity, credit and commodity price risks are being managed.


7.5.1 Sarbanes-Oxley requirements

The requirements relating to companies that are under the Sarbanes-Oxley regime are rather stricter than under the UK regime.

The most significant difference is that in the UK directors should say that they have assessed the effectiveness of internal controls in general, whereas Sarbanes-Oxley requires the directors to say specifically in the accounts whether or not internal controls over financial reporting are effective. The directors cannot conclude that controls are effective if there are material deficiencies in controls, severe deficiencies that result in a more than remote likelihood that material misstatements in the financial statements won’t be prevented or detected.

Under Sarbanes-Oxley disclosures should include a statement of management responsibility, details of the framework used, disclosure of material deficiencies and also a statement by the external auditors on management’s assessment of the effectiveness of internal control.

How much value reports give has been debated, particularly in America where some believe that the Sarbanes-Oxley legislation is too onerous. If reporting is compulsory, companies cannot apply a costbenefit analysis to determine whether it is justified. It would certainly appear to be more beneficial for a larger company with elaborate control systems, where most of the shares are held by external shareholders.

7.6 Factors affecting extent of reporting

Companies may have a number of reasons for internal control reporting beyond legal compliance. Internal control reporting is an important way for directors to demonstrate their accountability for managing the company. Detailed reporting can be a part of policy, to provide shareholders and other finance suppliers with assurance that controls are operating effectively to limit their risks.

Depending on how much leeway companies have on how they report on risk and control, the following factors may influence what they say.

7.6.1 Other accounts disclosures

The risk and control report should link in with other disclosures in the accounts about business developments. UK 2008 regulations require disclosure in the directors’ report of likely future developments in the business of the company, including changes in risk exposure. The UK Corporate Governance Code 2010 included a requirement for companies to explain their business model.

7.6.2 Interests of users

The directors must also take account of the views of shareholders, who will be interested in learning about the risks that could have most impact on the value of their investment, and how these risks are being controlled. These would include principal strategic and financial risks, and also operational risks that could have severe financial consequences. The views of other principal stakeholders will also be important.

7.6.3 Risks materialising or changing over the year

Disclosure of risks that have significantly changed will be important, as will how control systems have developed to meet these changes.

7.6.4 Reputation risks

Risks that could cause a significant decline in the organisation’s reputation may well be risks about which the board wishes to reassure stakeholders. Disclosures may focus on threats to reputation that may have a large impact on the business, particularly product safety.

7.6.5 Limitations on risk disclosures

The board may be less willing to disclose some risks on the grounds of commercial confidentiality. Directors may also fear that disclosures about certain risks will be misinterpreted by readers of the accounts. However, they may also be motivated to include matters covered in the reports of competitors or those identified as best practice to demonstrate how they are managing the risks that are common in this industry.

                                7.7 Compulsory external reporting                                   12/10

The factors listed above will be significant if reporting is regarded as voluntary or, at most, best practice. There are a number of arguments in favour of compulsory reporting.

  • Improved confidence of shareholders. Shareholders wish to be sure that boards are managing risk responsibly and that risk levels are not excessive. Compulsory reporting also helps to reinforce confidence in the quality of information.
  • Stimulus to directors. Directors will know that they cannot avoid being held to account if controls are poor, as investors will be able to read the report and seek more information on areas where controls are weak.
  • As well as providing information to ordinary shareholders, compulsory reporting can provide valuable information for stakeholders with power to hold directors accountable, particularly market regulators and institutional investors.
  • It should remove the possibility of companies with poor controls being able to hide them and keep investors satisfied by good results.



In the last few chapters we have mentioned the Turnbull guidance on a number of occasions.

What do you think are the most important qualities that the Turnbull guidance has? (You may wish to refer back to the summary of the guidance at the end of Chapter 3.)



Key features of the Turnbull guidance include the following.

  • It is forward looking.
  • It does not seek to eliminate risk. It is constructive in its approach to opportunity management, as well as concerned with ‘disaster prevention’. To succeed, companies are not required to take fewer risks than others but they do need a good understanding of what risks they can handle.
  • It unifies all business units of a company into an integrated risk review.
  • It is strategic, and driven by business objectives, particularly the need for the company to adapt to its changing business environment.
  • It should be durable, evolving as the business and its environment changes.
  • In order to create shareholder value, a company needs to manage the risks it faces and communicate to the capital markets how it is carrying out this task. This helps shareholders make informed decisions – remember shareholders are prepared to tolerate risk provided they receive an acceptable level of return. It will also provide more confidence in the company and therefore lower the required return of shareholders and lenders.



Directors need information from a large variety of sources to be able to supervise and review the operation of the internal control systems. Information sources should include normal reporting procedures, but staff should also have channels available to report problems or doubtful practices of others.
Procedures improving staff abilities and attitudes should be built into the control framework.

Communication of control and risk management issues and strong human resource procedures reinforce the control systems.

To be effective, monitoring by management needs to be ongoing and to involve separate evaluation of systems. Deficiencies need to be communicated to all the appropriate people.
Management is responsible for the implementation of effective monitoring procedures. The board is responsible for ensuring a system of effective monitoring is in place, and for monitoring management’s activities.
The role of internal audit will vary according to the organisation’s objectives but is likely to include review of internal control systems, risk management, legal compliance and value for money.
An audit committee of independent non-executive directors should liaise with external audit, supervise internal audit, and review the annual accounts and internal controls.


Boards should review risks and the effectiveness of internal controls regularly.

Boards should carry out an annual review that looks more widely at risks faced and control systems, and also how these issues should be reported.

Chapter Roundup



Quick Quiz

  • Fill in the blank:

…………………………………. ensures that internal control continues to operate effectively. This process involves assessment by appropriate personnel of the design and operation of control on a suitable timely basis, and the taking of necessary actions. It applies to all activities within an organisation and sometimes to outside contractors as well.

  • Complete the mnemonic in respect of the qualities of good information.


  • What are the main elements of internal audit’s review of the accounting and control systems?
  • Which of the following is not a measure designed to enhance the independence of internal audit?
    • Internal audit should have unrestricted access to records, assets and personnel.
    • Internal audit should report ultimately to the finance director.
    • Internal auditors should not audit systems that they have designed.
    • The terms of reference of the internal audit department should draw a clear distinction between regular audit services and consultancy work.
  • List the main responsibilities of audit committees.
  • Audit committees are generally staffed by executive directors.



  • According to the Turnbull report, what should be the main elements of the board’s regular review of internal controls?
  • And what should be the main elements of the board’s annual review of internal controls?

Answers to Quick Quiz

  • Monitoring
  • Accurate







Easy to use

  •  Reviewing the design of systems
    • Monitoring the operation of systems by risk assessment and detailed testing
    • Recommending cost-effective improvements
  • B Internal audit should ultimately report to the audit committee.
  •  Review of financial statements and
  • Review of internal control systems


Review of risk management

  • Liaison with external auditors 
  • Investigations
  • Review of internal audit
  • False Non-executive directors should staff the audit committee to enhance its function as an independent monitor, and a forum to which internal and external audit can address their concerns.
  •  What the risks are and strategies for identifying, evaluating and managing them
    • The effectiveness of the management and internal control systems
    • Whether actions are being taken to reduce the risks found
    • Whether the results indicate that internal control should be monitored more extensively
  •  The changes since the last assessment in risks faced and the company’s ability to respond to changes in its business environment
    • The scope and quality of management’s monitoring of risk and internal control, and of the work of internal audit
    • The extent and frequency of reports to the board
    • Significant controls, failings and deficiencies having material impacts on the accounts    The effectiveness of the public reporting processes



Number Level Marks Time
Q8 Examination 25 49 mins


(Visited 114 times, 1 visits today)
Share this: