Businesses face risk every day. How successful they are in managing those risks is all too apparent when major business failures unfold: failure is often the result of poor risk management practices.
Risk Management is a term used to describe the processes which aims to assist organisations understand, evaluate and take action on their risks with a view to increasing the probability of their success and reducing the likelihood of failure.
Effective risk management gives comfort to shareholders, customers, employees and society at large that a business is being effectively managed and helps the company or organisation confirm its compliance with corporate governance requirements.
Risk management is relevant to all organisations large or small. Effective risk management practices support accountability, performance measurement and reward and can enable efficiency at all levels through the organisation. Risk management requires a detailed knowledge and understanding of the organisation and the processes involved in the business.
In the UK Corporate Governance Code Main Principle C.2 Risk Management and Internal Control states:
‘The board is responsible for determining the nature and extent of the significant risks it is wiling to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.’
Code Provision C.2.1 provides:
‘The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls.’
In addition Financial Services Authority (FSA) DTR 7.2.5R requires companies to describe the main features of the internal control and risk management systems in relation to the financial reporting process.
UK Corporate Governance Code Main Principle C.3 states:
‘The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditor.’
The Turnbull Guidance provides guidance on this part of the Code.
The Turnbull Guidance was originally published in 1999 and revised in 2005.
Following the review the FRC published updated guidance in October 2005. It applies to listed companies for financial years beginning on or after 1 January 2006.
It is expected that the FRC will be consulting on further revisions to the Turnball Guidance in the second half of 2013.