Appendix 4 Extract from the Turnbull Report
Roger Mccormick, Chris Stears
Roger McCormick, Chris Stears
The following text is reproduced from the Appendix to the Turnbull Report.
Assessing the effectiveness of the company’s risk and control processes
Some questions which the board may wish to consider and discuss with management when regularly reviewing reports on internal control and carrying out its annual assessment are set out below. The questions are not intended to be exhaustive and will need to be tailored to the particular circumstances of the company.
The Appendix should be read in conjunction with the guidance set out in [the Turnbull Report].
— Does the company have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues? For example, do objectives and related plans include measurable performance targets and indicators?
— Are there significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? (Significant risks may, for example, include those related to market, credit, liquidity, technological, legal, health, safety and environmental, reputation and business probity issues).
— Is there a clear understanding by management and others within the company of what risks are acceptable to the board?
— Does the board have clear strategies for dealing with the significant risks that have been identified? Is there a policy on how to manage these risks?
— Do the company’s culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control system?
— Does senior management demonstrate, through its actions as well as its policies, the necessary commitment to competence, integrity and fostering a climate of trust within the company?
— Are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people? Are the decisions and actions of different parts of the company appropriately co-ordinated?
— Does the company communicate to its employees what is expected of them and the scope of their freedom to act? This may apply to areas such as customer relations; service levels for both internal and outsourced activities; health, safety and environmental protection; security of tangible and intangible assets; business continuity issues; expenditure matters; accounting; and financial and other reporting.
— Do people in the company (and its providers of outsourced services) have the knowledge, skills and tools to support the achievement of the company’s objectives and to manage effectively risks to their achievement?
— How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?
— Do management and the board receive timely, relevant and reliable reports on progress against business objectives and the related risks that provide them with the information, (p. 622) from inside and outside the company, needed for decision-making and management review purposes? This could include performance reports and indicators of change, together with qualitative information such as on customer satisfaction, employee attitudes etc.
— Are information needs and related information systems reassessed as objectives and related risks change or as reporting deficiencies are identified?
— Are periodic reporting procedures, including half-yearly and annual reporting, effective in communicating a balanced and understandable account of the company’s position and prospects?
— Are there established channels of communication for individuals to report suspected breaches of laws or regulations or other improprieties?
— Are there ongoing processes embedded within the company’s overall business operations, and addressed by senior management, which monitor the effective application of the policies, processes and activities related to internal control and risk management? (Such processes may include control self-assessment, confirmation by personnel of compliance with policies and codes of conduct, internal audit reviews or other management reviews).
— Do these processes monitor the company’s ability to re-evaluate risks and adjust controls effectively in response to changes in its objectives, its business, and its external environment?
— Are there effective follow-up procedures to ensure that appropriate change or action occurs in response to changes in risk and control assessments?
— Is there effective communication to the board (or board committees) on the effectiveness of the ongoing monitoring processes on risk and control matters? This should include reporting any significant failings or weaknesses on a timely basis.
— Are there specific arrangements for managing monitoring and reporting to the board on risk and control matters of particular importance? These could include, for example, actual or suspected fraud and other illegal or irregular acts or matters that could adversely affect the company’s reputation or financial position.