What Does an Effective Audit Committee Actually Do? – Part 2

In Part 1 of this post, we considered the role and functions of the audit committee in overseeing risk management and internal controls, and monitoring the effectiveness of internal and external auditors. In this post, we explore the practical arrangements which make the audit committee successful.

Composition of the Audit Committee

The UK Code states that an audit committee should have at least 2 members who are independent non-executive directors (3 for listed companies). (i.e. they are not salaried employees, ex-employees or otherwise in a business relationship with the organisation). Appointments should be made by the Board in consultation with the Audit Committee chair. Usually appointments are made for 3 years, extendable for further periods. At least one member should have ‘recent and relevant financial experience’ and ideally a professional accountancy qualification. The role of the Chair is critical to success of the committee. A good chair will be independently minded, promote open discussion, manage meetings to cover all business and encourage a candid approach from all participants. An interest in and knowledge of financial and risk management, audit, accounting concepts and standards, and the regulatory regime are also essential. A specialism in one of these areas would be an advantage. Outside the formal meetings, the chair will usually meet periodically with the CEO, finance director, external auditor and head of internal audit, as well as the Chair of the Board.

The committee will need access to suitable resources to ensure agendas, board packs are distributed in advance and timely, accurate minutes are prepared. As a matter of good practice, the company secretary should normally act as secretary to the audit committee. Audit committee members must be given suitable induction and ongoing training, which should include understanding of financial statements, application of accounting standards, regulatory and legal developments affecting the organisation’s business, as well as risk management techniques. Internal and external auditors could usefully help with this as part of their retainer.

What makes an effective audit committee?

Recent research by Grant Thornton (Knowing the Ropes, 2015) found that the following qualities are found in effective audit committee members (ranked in order):

  • Ability to ask challenging questions
  • Recent and relevant financial experience
  • Audit experience
  • Ability to think clearly
  • Experience from being an executive team member elsewhere
  • Relevant industry background
  • Good listening skills
  • An eye for detail
  • Experience of other audit committees
  • Team-working skills

The FRC has recently proposed an amendment to its guidelines which recommends the audit committee should include competence relevant to the specific sector in which the organisation operates.

Some key questions which the audit committee should address include:

How do we know that there is a comprehensive process for identifying and evaluating key risks across the organisation and deciding what levels of risk are tolerable?

How do we know that the culture of risk management in the organisation is appropriate and how well people are supported to manage risk well?

How do we know how well the organisation identifies and reviews emerging and novel risks?

How do we know that the internal audit strategy is appropriate to deliver reasonable assurance on risk, controls and governance?

How do we know that accounting policies, financial management, and accounts are highlighting hidden financial risks?

How appropriate are the anti-fraud, whistle-blowing and conflicts of interest policies?

How do we know that management follows up on recommendations by auditors?

How do we know we are being effective in our work as a committee and making an impact on the organisation?

Running the audit committee

The audit committee chair should decide the timing and frequency of committee meetings, and the committee should meet as many times as the role and responsibilities require – typically there will be 3-4 meetings per year. FRC Guidance suggests the following:

  • There should be at least 3 committee meetings per year, timed to coincide with key dates in the financial reporting and audit calendar, for example, to examine the audit plan before it commences, and to review the draft annual report and accounts before approval by the Board; to review the effectiveness of the audit process once it is complete.
  • Sufficient time should be allowed between audit committee meetings and meetings of the main board to allow work arising from the committee to be carried out and reported to the Board as a whole.
  • Only the audit committee chair and members are entitled to attend meetings of the committee. Salaried executives attend by invitation and may be asked to leave for certain items of business. It is usual for the Accounting Officer (usually the CEO) and Finance Director to attend regularly.
  • At least once a year, the audit committee should meet the external and internal auditors, without management being present, to discuss its responsibilities and any issues arising from the audit.
  • Work continues outside of formal meetings, with the Chair keeping in contact with key people such as the Board Chair, CEO , Finance Director, audit lead partner and head of internal audit.

It is very important to have a clear channel of communication between the audit committee and main Board. If the audit committee chair does not sit on the main board, it will be necessary to arrange for the chair of audit to meet with the Board to report on any findings and programme of work carried out. FRC Guidance recommends that the report should cover:

  • Any significant issues found with the financial statements and how these were addressed
  • An assessment of the effectiveness of external audit and recommendations on the selection, reappointment or removal of the auditor
  • Issues where the Board has asked for the audit committee’s opinion

A typical cycle of meetings might be

Meeting 1

  • approval of internal audit plan for following year in conjunction with review of risk register
  • consideration of external audit pre-scoping report
  • review of routine internal audit reports

Meeting 2 

  • presentation of draft accounts and statement of internal control
  • review of external audit report on accounts
  • review of annual internal audit report for year
  • review of other assurance reports for year
  • review of risk register

Meeting 3

  • post audit effectiveness review
  • review of routine internal audit reports
  • review of strategic and operational risk registers
  • ‘deep dive review’ of a key risk area

Meeting 4 

  • review of routine internal audit reports
  • review of risk registers
  • ‘deep dive review’ of a key risk area

Strive for continuous improvement

Audit Committees should assess their performance annually. Typically, this review will cover areas such as reviewing and, if necessary, updating their terms of reference, assessing whether sufficient resources have been deployed to support their activities, the effectiveness of meetings, procedures for induction, training and succession planning,  and the quality and value of internal and external audit activities. An external review can help to bring an independent perspective. The Committee should draw up its own plan for improvement as a result of the self-assessment, either  requesting future training or development for members, or in changes to its processes and procedures.

Final thoughts

Audit Committees have a crucial role to play in the governance of any organisation – unless they report effectively on the relevance and rigour of the underlying structures and processes and on the assurances that the Board receives, the entire governance framework can be compromised. Effective audit committees provide comfort and reassurance to senior managers, ensuring that the organisation has a sound base for growth and protection against nasty surprises. Audit Committee members must therefore take responsibility for scrutinising the risks and controls affecting every aspect of the business. Whilst the role of an Audit Committee member is demanding, it can also be an enriching and rewarding experience.

If you need help in establishing an audit committee, an independent review of its effectiveness or advice on any other aspect of corporate governance, please get in touch.

 

Mark Johnson is an experienced solicitor & chartered company secretary supporting businesses, charities, social enterprises & academy trusts on governance, compliance & legal affairs. He also serves as an independent audit committee member for a leading Multi-Academy Trust. Please get in touch info@elderflowerlegal.co.uk or 01625 260577.

If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More

What Does an Effective Audit Committee Actually Do?

Part 1 – Role of the Audit Committee

The audit committee makes up one of the three pillars of the Board committee system and forms a critical part of the overall framework of corporate governance for medium to large companies, housing associations, charities, academy trusts and public sector bodies. Experience shows that the role is not an intuitive one and there is often confusion about the purpose of an audit committee.

For example, in a recent Education Funding Agency webinar, a leading accountancy practitioner was asked what is the role of the audit committee in an academy trust? He replied that its job was ‘to manage risk in the organisation’. That may be his perception, but in practice how can this group of usually 3-5 non-executive members possibly have eyes and ears in every corner of the organisation? Do they really have the time and resources to achieve that result? Or is it more a case of providing oversight and ‘reasonable assurances’ to the Board and external stakeholders that appropriate systems and controls are in place? In this piece, I look at the role and functions of the audit committee and share some lessons on what makes it effective.

Why have an audit committee?

In the education sector, all academy trusts with an annual income over £50 million are required by the Financial Handbook to appoint a dedicated audit committee (smaller ones may combine this function with other committee business), under the NHS Codes of Conduct and Accountability and the Monitor Governance Code health trusts are required to establish one, local authorities are required by accounting standards to establish one, the National Housing Federation Governance Code requires that ‘All but small non-developing organisations must have a committee primarily responsible for audit, and arrangements for an effective internal audit function’. Similarly, HM Treasury requires that all government departments, executive agencies and arm’s length bodies should establish an ‘audit and risk assurance committee’. UK listed companies are required by law to have an audit committee.

The UK Corporate Governance Code (widely regarded as the gold standard of best practice) requires that boards should establish formal and transparent arrangements for:

  • Consideration of how they should apply reporting and risk management and principles of internal control; and
  • Maintaining an appropriate relationship with the organisation’s external auditors

These functions are discharged by establishing a formal audit committee with clear terms of reference.

The Board must put in place governance structures and processes to ensure that the organisation operates effectively, meets its strategic objectives and provides the Board with assurance that this is the case. However, even the best structures and processes can let down an organisation if they, and the assurances they provide, are not operated with sufficient rigour. Boards are ultimately responsible for assessing risk, signing off financial statements and the accuracy of public announcements. There can be significant personal liabilities for getting it wrong. Board members need to be reassured that they can rely on the information being presented to them.  Boards look to their audit committee to review and report on the relevance and rigour of the governance structures in place and the assurances the Board receives. The Audit Committee supports the Board in this area by obtaining assurances that controls are working as designed and by challenging poor sources of assurance.

What are the functions of an audit committee?

The UK Code lists the role and responsibilities of an audit committee:

  • To monitor the integrity of the organisation’s financial statements and any formal announcements relating to financial performance
  • To review the organisation’s internal financial controls, internal control and risk management systems
  • To monitor and review the effectiveness of the organisation’s internal audit function (if it has one, and if there is not, annually consider whether there ought to be one in the light of current risks and trends in the market)
  • To make recommendations to the board in relation to the appointment, reappointment or removal of the organisation’s external auditors
  • To approve the remuneration and terms of engagement of the external auditors
  • To review and monitor the independence of the external auditors, as well as the objectivity and effectiveness of the audit process
  • To develop and implement a policy on using external auditors to provide any non-audit services
  • To report to the board on how it has discharged its responsibilities.

The Code recommends that part of the organisation’s annual report should describe the work of the audit committee.

The Financial Reporting Council has published extensive guidance on the role of the audit committee. Of particular note are the following points:

  • The organisation’s management is under an obligation to make sure that the audit committee is kept properly informed and should take the initiative in providing the committee with information instead of waiting to be asked – this is crucial since the audit committee can only work properly if it is kept informed.
  • Whilst the core duties of the audit committee are oversight, assessment and review of systems and functions in the organisation, it is not the duty of the committee itself to carry out those functions or to make or endorse substantive decisions. Executive management prepares financial statements, auditors prepare audit plans. Executive management is responsible for actually managing risk (within the risk appetite and tolerances set by the Board as whole). The audit committee’s role is to provide reasonable assurance to the board and external stakeholders that the functions are being carried out properly. They must flag up issues indentified. FRC guidance recognises that, faced with unsatisfactory explanations by management, the committee may ‘have no alternative but to grapple with the detail and perhaps seek independent advice’. They might also from time to time carry out thematic reviews of known areas of high risk on their own initiative.

In the public sector, HM Treasury sees the role of the audit committee ‘is also to act as the conscience of the organisation’ and to provide insight and constructive challenge where required, for example, on risks arising from increasing constraints on resources, new service delivery models, information flows on risk and control and the general agility of the organisation to respond to new risks.

Oversight of risk management and controls

The effective development and delivery of an organisation’s strategic objectives, its ability to seize new opportunities and to ensure its own long-term survival depend on its identification, understanding of, and response to, the risks it faces. In an earlier post we looked at how boards can develop an effective approach to risk management. Risk appetite is the level of risk that the organisation is willing to take in pursuit of its objectives (it can have ‘upside’ as well as ‘downside’). It is concerned with the amount and types of risk the Board would like the organisation to take without a serious threat to its financial stability – it can be quantified so that prudent limits can be set. Setting that level of risk appetite is a key role for the Board as a whole.

The UK Corporate Governance Code requires that ‘the Board should satisfy itself that appropriate systems are in place to identify, evaluate and manage the significant risks faced by the organisation’. The Board should carry out a review of the effectiveness of risk management systems in the organisation. The work of the audit committee helps to inform this, but it must always be remembered that ‘the buck stops’ with the Board.

An internal control system must be effective in preventing losses arising from risk events, identifying risk events and taking corrective action when they occur. An internal control system is concerned with managing business risks which are largely internal to the organisation. Controls will include the policies, processes, procedures, methods, measures, tasks and behaviours to ensure that operational activities progress effectively. It is designed to provide assurance on the achievement of objectives as follows:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Internal controls can be classified into 3 main types:

Preventive controls – intended to prevent an adverse risk event from occurring, e.g. fraud by employees

Detective controls – for detecting risk events when they occur, so that an appropriate person is alerted and corrective action can be taken

Corrective controls – measures for dealing with the consequences of risk events that have occurred.

The various sources of assurance make up what is known as the ‘three lines of defence’:

First line: management assurance from frontline or operational areas;

Second line: oversight of management activity, separate from those responsible for delivery (but still part of management chain);

Third line: independent and objective assurances from internal audit and external bodies.

Together these assurances make up the Assurance Framework.

“The Assurance Framework is the ‘lens’ through which the Board examines the assurances it requires to discharge its duties. The key question Board members need to ask is ‘How do we know what we know?’ The Assurance Framework should provide the answer.” (NHS Audit Committee Handbook 2011).

The role of ‘internal audit’ in assisting the committee

‘Internal audit’s role is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight’–  Institute of Internal Auditors.

The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively. Unlike external auditors, they look beyond financial risks and statements to consider wider issues, such as operational effectiveness, the organisation’s reputation, growth prospects, impact on the environment, dealings with employees and compliance with regulations. The internal audit function can be performed by directly employed staff (with appropriate reporting lines), or alternatively the function can be outsourced to a specialist firm. The scale and frequency of activities really depends on the complexity of the organisation. A properly resourced internal audit function can provide management with valuable objective assurance and advice on risk management and controls. The data and reports produced by internal audit will be valuable data to feed into the audit committee meetings, particularly where they highlight trends or recurring problems which the committee may need to probe more deeply.

In part 2, we will consider the composition of the Audit Committee, how it can manage its business effectively and the qualities to look for in effective members.

Mark Johnson is an experienced solicitor & chartered company secretary supporting businesses, charities, social enterprises & academy trusts on governance, compliance & legal affairs. He also serves as an audit committee member for a leading multi-academy trust. Please get in touch info@elderflowerlegal.co.uk or 01625 260577.

If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

 

Read More

Top Ten Legal Risks for Enterprise and How to Manage Them

As 2016 dawns, now is a good time to reflect on your business plans for the year ahead. Make some time to consider these legal risks and how you would manage them. A modest investment now could pay handsome dividends later.

  1. Get your company structure in order

Are you using the optimum legal format for your enterprise? Have circumstances changed so that you need to revisit this? For example, if you are a sole trader or partnership taking on more liabilities and risk, is now a good time to incorporate and benefit from limited liability status? If you plan to raise external funding, will funders require you to adopt a specific legal structure, such as a company limited by shares or a community interest company with an ‘asset lock’? Are you making the most of any tax reliefs available, for example by adopting charitable status? Is your company’s constitution in order – is it clear who is responsible for what, who can spend the organisation’s money and up to what limit, who is authorised to enter into contracts or employ staff? If you are working with new partners or external investors, have you got a shareholders’ or partnership agreement in place which protects your position properly, sets out clearly what is expected of each party, how the risks and rewards will be shared and how any falling out would be dealt with? Download our free guide to legal structures here for more tips.

  1. Understand the implications of taking on business premises

If you are planning to take on business premises this year, make sure you understand the risks involved. Taking on a long term inflexible lease can be a real millstone around your neck. Are there more flexible arrangements you could use instead, such as an informal licence, sharing space with others or the increasingly popular shared business centres for start-ups? If you do decide to take the plunge on a lease, understand the implications. Is the rent realistic and affordable, how will it increase during the term of the lease? Insurance and repairs: landlords like to get tenants to sign up to ‘full repairing and insuring’ leases – which means you will be responsible for the costs of insuring the building as well as the rent; you will also be responsible for carrying out works to put the property into a good state of repair at the end (known as ‘dilapidations’) and paying a service charge to cover external repairs, cleaning and building services.  These can be very significant costs to budget for. Consider limiting your liability at the outset by having a schedule of condition prepared. Get proper professional advice before you sign anything!

  1. Get your contract terms in order

Effective and enforceable contracts are the lifeblood of any successful enterprise. Contracts with customers, service users, suppliers, employees, landlords, business partners and insurers all make up the payment flows, risk allocation and risk management tools which allow an enterprise to manage its cash flow, generate surpluses and remain solvent. Properly drafted contracts which are clear and unambiguous are a vital protection for your organisation and can really help to avoid costly disputes if things go wrong. Consider getting your contracts reviewed and put into shape by a professional. Find out more.

  1. Are you up to date with regulations that apply to your business?

The scope and burden of regulations affecting business and non-profits just seems to grow exponentially, especially in highly regulated sectors like health and social care, education, financial and professional services. The default knee-jerk response of politicians to any problem or scandal, however isolated, seems to be to pass new laws, putting more responsibilities and penalties on managers for non-compliance. For example, last year saw the introduction of new laws affecting consumer contracts, a new minimum living wage starting in April 2016, new rules affecting zero hours contracts and tough new approach to data protection violations. It can be difficult for small and medium sized enterprises to keep up with all the developments and stay compliant. One solution is to sign up to a subscription service like ours, designed to provide peace of mind. We can help you to stay focused on running your business while we take care of the paperwork, updating policies, contracts and providing on-call support with cost certainty.

  1. Protect your business ideas and confirm ownership

Have you taken all the necessary steps to protect the names, logos and goodwill associated with your enterprise? These can be a real source of competitive advantage and enhance the value of your business. Patents (which protect mechanical devices, industrial processes and chemical compounds), trademarks (which protect distinctive slogans, logos, domain names and sounds) and designs, can all be registered with the UK Intellectual Property Office. The protection gives you the right to stop others from using them without permission. Other unregistered rights can arise automatically, such as copyright (which protects literary, dramatic, musical and artistic works, sound recordings, films and broadcasts), unregistered trademarks and confidential information (such as method statements or processes). If you are discussing confidential plans with a potential business partner, do you routinely get them to sign a non-disclosure agreement to stop them poaching your ideas? Is it clear in your contracts with staff and suppliers who will own the rights to any inventions or creations?

  1. Control your debts

Good cash flow management is essential to any business. It is important to know the precise identity of the customer with whom you are dealing and ideally perform a credit reference check on them. Mistakes in the name or address of a customer may prevent you from recovering a debt from them later. Get proper written terms of business in place and consider setting credit limits for individual customers. If the customer’s credit looks doubtful, consider taking additional security, such as payment in advance or a guarantee from a third party. Late Payment legislation was introduced in 1998 to encourage a culture of prompt payment. Evidence suggests that late payments are a major continuing problem. A survey by the Federation of Small Business in 2015 found that 43 per cent of firms have waited over 90 days beyond the agreed payment date before they got the money they were owed. New rules were brought in during 2013, but the level of awareness about how to use the rules still appears to be low. Businesses may fear upsetting their customers and jeopardising future business, but used wisely the rules can really help your business. Find out more.

  1. Understand your duties as an employer

It is vital to understand your responsibilities when taking on employees. Most problems in the workplace stem from poor communication, lack of clarity about roles or expectations of new recruits, or failing to tackle performance issues when they arise. With payroll costs typically averaging 60%-75% of total costs for most enterprises, this is a high risk area worthy of intensive attention. Time spent getting your documentation, contracts, policies and procedures in order will pay dividends in the long-run. Although the introduction of employment tribunal fees has deterred some legal claims, an employment dispute can be damaging for morale, costly in terms of time and resources and can have a very negative impact on an organisation’s reputation, including implications when bidding for external contracts. Time spent getting your paperwork in order could be a wise investment to avoid problems and expense further down the line. Don’t put off that appraisal meeting or employee paperwork any longer! See more on this.

  1. Manage disputes effectively

Disputes are almost inevitable at some point in a business relationship. Various techniques can be used to resolve them. The cost of taking a case to court has risen dramatically, not least because of the increase in court fees brought in during 2015. For disputes worth over £10,000 the court fee can be 5% of the value of the claim just to issue the claim form (for example a claim for a debt of £15,000 would incur a fee of £750, plus an additional fee of up to £1,000 payable for the hearing).  Not surprisingly this is prompting a strong interest in alternative forms of resolving disputes, such as ombudsmen, adjudication, expert determination and mediation. Many trade associations now offer a mediation scheme for their members, and we are seeing the growth of private online dispute resolution forums for resolving disputes, such as resolver.co.uk or modria.com. Consider amending your terms of business to require any disputes to be referred to a less costly swifter process, rather than the courts. Remember also that disputes are often won or lost by the quality of evidence available. Make sure you keep good records of contract documents, letters, emails and notes of phone calls and store them securely for at least six years after the relationship ends. Contemporaneous notes of meetings or calls can hold great weight with a judge.

  1. Be careful with your data

As we move inexorably into a digital world, the amount of data stored and transferred concerning operations, customers, suppliers and employees is increasing exponentially. The complexity of modern business relationships, multiple interfaces between networks, cloud-based applications and storage, social media platforms and electronic devices, as well increasingly sophisticated fraudsters and hackers, means the potential for personal data to be lost or misused is growing all the time. At the same time regulators are adopting a tougher enforcement approach towards data breaches and unauthorised use of data, such as unsolicited marketing calls, texts and emails. For example, the organisers of Parklife Festival in Manchester were last year fined £70,000 for sending unsolicited text messages.

In October 2015 TalkTalk suffered massive adverse publicity when it revealed that the data of up to 4 million customers may have been hacked. The charity British Pregnancy Advisory Service was fined £200,000 when it website was hacked and sensitive details of service users compromised. If you handle personal information, you will most likely need to register as a data controller with the ICO. Registration costs £35 per year and can be completed online. Failure to notify or renew a notification when you are not exempt from notifying is a criminal offence, punishable by a fine of up to £5,000. You also need to comply as a minimum with the eight data protection principles.

Take extra care if you are planning to sell or pass on your customer lists to third parties – Pharmacy2U Limited was fined £130,000 in 2015 for passing on its customer lists without consent from customers. It is important to get the right ‘opt in’ consent from customers and service users at the first point of contact with them, either through website forms, on paper or over the telephone.

10.  Get your policies in order

A full suite of policies may be your first line of defence against potential problems with employees or regulatory action. You cannot possibly have eyes and ears in very corner of your business, but you can set out clearly what is expected of your staff, suppliers and partners. Policies should cover every aspect of your business, such as health and safety, prevention of discrimination and harassment, environmental standards, social media usage, data handling, sickness absence and redundancy. If there is an accident or a claim your policies can help to demonstrate that management took all reasonable steps to avoid causing harm. Make sure staff and suppliers are made aware of the policies when first joining and refresh them annually.

Start 2016 on the right footing by giving some thought as to how to best protect your business against legal risks. Contact us now for a ‘no obligation’ discussion on how we could help. We wish you a happy and prosperous New Year.

Mark Johnson is an experienced solicitor & chartered company secretary. As Principal of Elderflower Legal, he provides a range of friendly fixed price legal and compliance services for SMEs, charities, social enterprises, academy trusts and local authority trading companies, helping them to flourish. Please get in touch info@elderflowerlegal.co.uk or 01625 260577.

If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More

How Can the Board Develop an Effective Approach to Risk Management?

Does Your Board Have an Effective Approach to Risk Management?

Risk management is a key component of sound corporate governance. There has been a popular view in the past that risk management was a brake on progress: a discipline inhabited by clip-board clutching box tickers intent on stifling entrepreneurial innovation. Not any more – for enlightened organisations have embedded an effective approach to managing risk into their culture and everyday processes. Risk management should be as much about spotting opportunities, as avoiding hazards.

‘The effective development and delivery of an organisation’s strategic objectives, its ability to seize new opportunities and to ensure its own long-term survival depend on its identification, understanding of, and response to, the risks it faces,’ says the Financial Reporting Council.

High profile scandals in private, public and third sectors, corporate failures, the banking crisis of 2008-2009, as well as increased globalisation, interconnectedness and the fast pace of change in the business environment, have all focused more attention on the way boards handle risk management. There has been a step change in the need for boards to focus on risk in the last few years. Regulators have toughened their approach – all but the smallest companies in the UK must now prepare a ‘strategic report’ which includes a ‘fair review of the company’s business and a description of the principal risks and uncertainties facing the company.’  For charities, the SORP 2015 requires in the annual report from trustees ‘a description of the principal risks and uncertainties facing the charity and its subsidiary undertakings, as identified by the charity trustees, together with a summary of their plans and strategies for managing those risks’. Sector specific regulators from the Care Quality Commission, to the Health & Safety Executive expect to see a proper risk management strategy.

Corporate Governance codes all stress the need for an effective approach. The UK Code states in Section C, ‘The board is responsible for determining the nature and the extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.’ In the 2014 edition this was strengthened to include a new provision that ‘a robust assessment’ is carried out annually of the ‘principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity.’ Similarly, the Governance Code for the Voluntary Sector requires that the board must ensure ‘..it regularly identifies and reviews the major risks to which the organisation is exposed and has systems to manage those risks.’ But also, there are increasing expectations from all stakeholders that the Board is aware of risks and has an effective plan to manage them. It is no longer acceptable in the public’s mind for organisations to find themselves in a position where unexpected events cause financial loss, operational disruption, damage to reputation and loss of market position. Witness the outcry every time a bank’s cashpoint network goes offline.

What is risk?

A useful working definition is ‘an event with the ability to impact (inhibit, enhance or cause doubt about) an organisation’s mission, strategy, projects, routine operations, objectives, core processes, key dependencies and/or the delivery of stakeholder expectations.

By taking a proactive approach to risk management, organisations should achieve positive benefits:

  • Operations should be more efficient because events that can cause disruption are identified in advance and actions taken to reduce the likelihood and containing the costs if they do occur.
  • Processes should be more effective because of the thought that is given to selecting processes and thinking about the risks involved in different alternatives.
  • Strategy should be more effective, because risks associated with different options will have been carefully analysed and better decisions reached, leading to better outcomes.

Types of risk

Risks break down into different types. Risk management practitioners classify risks into hazard risks, control risks and opportunity risks. In general terms, organisations seek to mitigate hazard risks, manage control risks and embrace opportunity risks.

Risks break down into categories:

  • Financial risks – (e.g. accuracy and timeliness of financial information, accurate accounting records, adequacy of cashflow, interest rates, exchange rates, investment returns).
  • Operational risks (machine failure, human errors, service quality, incorrect contract pricing, employment issues, health and safety, IT failures, data breaches, fraud and theft).
  • Environmental and external risks (reputation and adverse publicity, cyber attacks, demographic trends, government policy, terrorism, extreme weather events, pandemics).
  • Compliance with laws and regulation – risk of legal claims, regulatory action, prosecution and fines for failure to comply with obligations.

Risk assessment

Having identified the risks faced by your organisation, they should be categorised in terms of their likelihood of occurrence and potential severity of impact (including financial loss or impact on reputation). Sometimes a risk score of 1-5 may be awarded (with 1 being very low and 5 being very high). The impact score may be multiplied by the likelihood score to identify the areas where most board attention and scrutiny is required.  This will build up into a risk register similar to the one shown in Figure 1 below.

Figure 1 Example Risk Register

Risk Table

Once each risk has been evaluated, the board will need to consider any action that needs to be taken to mitigate the risk, either by reducing the likelihood of it occurring, or lessening the impact if it does. The technique of ‘4Ts’ is sometimes used:

  • Tolerate – accept the risk because it is not considered a significant threat.
  • Trim – take measures to control or reduce the risk, so that the residual risk after control measures have been applied is acceptable (e.g. create policies and processes, train staff on how to reduce likelihood).
  • Transfer – shift the financial consequences to third parties (e.g. through taking out insurance or outsourcing to the supply chain, or using indemnity clauses in contracts).
  • Terminate the risk – by getting out completely – e.g. closing down an excessively risky operation or facility.

The risk register should be used for recording risks that have been identified, actions taken to investigate the risk, identifying the person with management responsibility for the risk, recording measures taken to deal with risks, and recording regular reviews of the risks. The risk register should be a living document that is reviewed at scheduled intervals by the board – not a one-off exercise that then sits in a filing cabinet

How does the Board discharge its responsibility?

The approach taken by any Board obviously depends on the size of the organisation and the complexity of its operations, but any organisation can benefit from a structured approach. In an organisation with full time professional managers, it would be usual for the managers to take the lead in assembling the risk register and bringing it to the board for review. However, in a smaller organisation the board members themselves may have to take the lead in compiling a risk register, perhaps with the assistance of an external facilitator, such as Elderflower Legal.

The processes  which boards use to consider risks were examined in some detail by the FRC in 2011 and the Sharman Inquiry in 2012. The key areas of best practice recommended were:

  • The board must first decide on its appetite and willingness to take on risk – this feeds into the organisation’s culture, behaviour and values. Are the risks commensurate with the expected returns? An environment of excessive or ill-informed risk-taking could be fatal to the organisation’s long-term future. The Walker report into the banking crisis found that boards simply did not understand the risks that their traders were taking on mortgage backed-securities. At its simplest level, the board may set financial downside limits on transactions and these feed through into specific limitations on the authority of managers in any scheme of delegation. There are also inevitable linkages to personal reward systems and motivations and HR policies and how these influence staff attitudes to risk.
  • Risk management and internal control should be incorporated within the organisation’s normal management and governance processes – not treated as a separate or one-off compliance exercise.
  • The board must make a robust assessment of the main risks to the organisation’s business model, including ability to deliver its strategy, solvency, liquidity and long-term viability.
  • Once the risks have been identified, the board should agree how they will be managed and mitigated. It should satisfy itself that the management and control systems are adequate and, in larger organisations, receive adequate formal assurances from managers, the audit committee and external auditors. Regular reports should be coming to the board to provide this. Risk data should be captured from across the organisation: often front-line staff are the first to be aware of problems.
  • Risks and associated control systems should be reviewed on a regular ongoing basis.
  • The organisation should report publicly and transparently to its stakeholders on the principal risks it faces, any material uncertainties and their review of the risk management and internal controls. Stakeholders should feel that the board has a visible role in governance and stewardship and that the board is held accountable.

Five key questions for the Board

What are the top 5 actions the board can take to ensure success?

  • Focus on the culture – is there an embedded commitment to risk management and control in your organisation? Does the board lead by example? There should be openness and creativity around risk issues. (Don’t be like HBOS, which sacked its group head of risk when he tried to warn the Board they were taking excessive risk).
  • The risk register and associated controls must be documented, understood, reviewed and disseminated regularly – not locked in a filing cabinet and dusted off once a year, or even less frequently.
  • There must be a process for monitoring and reviewing risk – adequate time must be scheduled at board meetings to consider risk issues and review whether the organisation has the skills and capacity and tools to manage risks effectively. The board should focus its attention on the top ten areas identified with highest risk score.
  • The board must be alert to new and emerging risks (such as cyber attacks, sovereign debt crises, Grexit/ Brexit, global political instability/ terrorism, climate change, social media, pandemics, demographic changes).
  • Report on the board’s activities in examining and reviewing risks so that stakeholders can gain assurance that the board is discharging its duties and form a balanced, clear and informed view of the organisation’s prospects.

As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depends on the skills, knowledge and behaviour of those responsible for operating the system. The board must set the desired values, ensure they are communicated, incentivise the desired behaviours, and sanction inappropriate behaviour.

Mark Johnson is an experienced solicitor and company secretary helping SME businesses, charities, social enterprises to manage risk, ensure good governance and protect their legal position. elderflowerlegal.co.uk
Read More

Ten Top Tips for Effective Governance

How can you set up your governance systems to achieve results?

Corporate governance has received increased attention in recent years as a result of high-profile scandals involving abuse of corporate power and, in some cases, unlawful activity by corporate officers. Governance is all about the way the organisations are directed, controlled and held accountable to deliver their purpose over the long-term. The organisation’s practices and procedures should be organised so that the organisation achieves its mission and goals, whilst complying with the law and sound ethical practice.

Putting in place a well-defined and enforced governance structure can provide a structure which works for the benefit of everyone concerned, by ensuring that your organisation adheres to accepted ethical standards and best practices, as well as formal laws. However, it is important that the systems are proportionate to the size of the organisation and the risks it faces. We set out below our ten top tips for effective governance.

Positive benefits of good governance include:

  • People will trust your organisation (including members, service users, funders, suppliers and the public), leading to improved trading terms
  • The organisation will know where it is going
  • The board will be fully connected with members and wider stakeholders
  • Good and timely decisions will be made
  • The Board will be better able to identify and manage risks
  • The organisation will have greater resilience to cope with problems
  • The organisation should enjoy improved financial stability

In our experience, there are common areas that often cause difficulties for organisations. Here are our ten top tips for effective governance.

  1. Mistakes at the start

When setting up a new organisation it is important to have a clear shared view of the vision and mission for the organisation. It is important to plan ahead and bring your supporters with you. Think carefully about your strategy from the start and articulate the vision continually to all your stakeholders. (A stakeholder is any individual or group who depends on the organisation to fulfil their needs and on whom the organisation depends).

  1. Choose the right legal format and corporate structure

Think about what you want your organisation to achieve and choose the right format. Take professional advice and learn from what others have done. Don’t let the tail wag the dog. When selecting a legal format, form should follow function, structure follows strategy. First decide what you want to do, then choose the right structure which facilitates this. Don’t rush into setting up one particular format without understanding what the choices and implications are. It can be expensive to unravel the wrong choice. Professional advice is a sound investment.

  1. Clarity of roles

There may be many roles in a complex organisation. It is important to have clarity about the responsibilities of the Board, individual directors, officers and managers. Write down the key responsibilities and draw up a structure chart and scheme of delegation so that everyone knows who is responsible for what and who has the authority to take decisions. Role descriptions should be easy to understand and new joiners to the organisation should be offered an induction. Roles and responsibilities should be reviewed annually, perhaps as part of an individual appraisal.

  1. Poor Board performance

Board members may fail to perform effectively unless they have the right training and skills and a proper understanding of what their role is (in a documented role description). This can have a knock-on effect on the rest of the organisation, if it is not tackled effectively. There should be regular skills audits of the Board to ensure they are performing well. Group training session can be run to remind the Board of their role and continually improve their skills. A regular formal review of the Board’s effectiveness facilitated by an independent observer can be a useful tool for improvement

  1. Recruitment and succession planning

You need to attract good people onto your board with a wide range of skills. If you have skills gaps and vacancies this can lead to ineffective performance or lack of scrutiny. Cast the net wide in looking for new and diverse talent and plan ahead to refresh the Board at regular intervals. Proper training and induction should be provided to would-be recruits to the Board. Allow them to attend a few meetings as an observer before taking the plunge.

  1. Ineffective meetings

Regular meetings to enable a proper exchange of views are very important to good governance. In a fast world, where digital communication is becoming the norm, some of the nuances of physical meetings, body language and interaction can be lost. Meetings need to be properly run, with a clear agenda and board papers circulated in advance, at regular times and accessible venues. Attendees should not leave feeling unclear about what has been decided; concise minutes should be prepared and circulated promptly after the meeting. The Chair plays a vital role in running effective meetings, supported by a good company secretary.

  1. Dominant founders

Sometimes the original founder of the organisation, a long-serving Chief Executive or Chair may have undue power or influence. Sometimes they may take on too much responsibility and spread themselves too thin. It is important to document the roles and responsibilities of key officers, including the limits on any delegated authority to make decisions (e.g. financial limits on payments, requirements for second signature etc). It is a good idea to write into the constitution a requirement for certain appointments to be refreshed every few years.

  1. Mission drift

If an organisation starts to drift away from its core mission or principles, this can cause a sense of confusion and disengagement for board members, employees, members and customers. There could be a variety of reasons for this. Funding streams or contracts may encourage managers to move into new areas of activity. It is important for the Board to continually review whether the organisation is still fulfilling the objectives written into its constitution. The constitution may need to be reviewed and refreshed to cater for change and this will usually require the members to vote in favour of the change.

  1. Engagement with members and stakeholders

Members and stakeholders need to feel that their voice counts and need to be kept regularly informed about the organisation’s activities. The board must be accountable to and represent the interests of the membership and service users effectively, otherwise a division can arise. This relies on transparent rules and reporting lines, as well as effective regular communication by the Board to keep all stakeholders informed. Members’ meetings should be appealing and easy to attend – think about possible incentives to get people to attend. Cadburys used to give away free chocolate to shareholders who attended its AGM!

  1. Deal with conflict swiftly and decisively

Conflicts occur in most organisations from time to time. Unfortunately, disagreements can quickly escalate and cause rifts within the organisation as positions become entrenched. Conflicts are not always a bad thing- they can help to bring issues to the fore and lead to better debate. The Board, usually through the Chair, needs to deal with conflicts diplomatically, mediating between the different parties to achieve a positive outcome.

Mark Johnson is an experienced solicitor and company secretary helping charities, social enterprises and SME businesses to flourish. His company Elderflower Legal offers a range of support packages to help organisations with legal compliance, managing risk and good governance. For more resources check out elderflowerlegal.co.uk.

Read More
Toggle Sliding Bar Area
Go to Top