This guide is based on UK law as at 1st February 2010, unless otherwise stated. It is part of a series on corporate governance.
The UK Corporate Governance Code states:
"The board is responsible for defining the company’s risk appetite and tolerance. The board should maintain a sound system of risk management and internal control to safeguard shareholders’ investment and the company’s assets" – main principle C.2.
The board needs to satisfy itself that it has appropriate systems to identify, evaluate and manage any significant risks the company might face.
(Note: the Code does not apply to all companies. See: The reach of the UK Corporate Governance Code, an OUT-LAW guide)
The Code also recommends that the board (or the audit or risk committee) annually reviews the system of internal controls and reports to shareholders that it has done so (the FSA’s Disclosure and Transparency Rules also require such a report). The review should cover ‘all material controls, including financial, operational and compliance controls and risk management systems’.
The Turnbull Guidance (annexed to the Code) suggests ways of applying these principles. It acknowledges that risk-taking entrepreneurship is an essential part of any business and that the purpose of internal controls is to manage risk rather than to try to eliminate it. In other words, no system can guard against every adverse event, but a sound one can improve the chances of avoiding toxic assets or identifying a rogue trader, to quote just two recent examples.
The system of internal control needs to be an integral part of normal business processes. It needs to operate throughout the year: it should not just be a box-ticking exercise done every 12 months to keep the compliance officer happy. Since risks change as the company’s business and the commercial environment in which it operates change, they must be reviewed and assessed regularly.
The Turnbull Guidance says that:
- the board must set the company’s policies for internal control; it is then up to management to implement those policies;
- the policies must enable the company to respond to the risks it faces and so safeguard its assets against loss and fraud, and identify and manage the liabilities it faces;
- the board (or an audit or risk committee) needs regularly to ask the right questions and to get the right answers to satisfy itself that the risks facing the company are being managed properly. This requires a good system of regular reporting throughout the company – so that important information from employees reaches the board.
The annual report needs to describe the system of internal control and explain any failure to comply with the Turnbull Guidance.