UK Issues Proposed Guidance on Risk Management, Internal Control, and Going Concern

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The U.K.’s Financial Reporting Council (FRC) is responsible for the nation’s corporate governance code as well as its standards for accounting and auditing.

When they speak, we should all listen.

The FRC recently issued draft guidance (PDF) for directors that is intended to replace their prior guidance (2005) on internal control and risk management. You can view their press release, which includes instructions for providing feedback.

They are recommending changes to the U.K. corporate governance code (Turnbull) to reflect the new guidance.

While the document includes guidance on accounting for going concern issues, I will focus on important messages it is sending about risk management and internal control.

Here are some of the passages that caught my eye:

“Risk management and internal control should be incorporated within the company’s normal management and governance processes, not treated as a separate compliance exercise.”

“The risk management and internal control system should be embedded in the operations of the company; be capable of responding quickly to evolving risks and opportunities to the business arising from factors within the company and to changes in the business environment; and include procedures for reporting immediately to appropriate levels of management and to the board any significant increases in the company’s risk exposure or significant control failings or weaknesses that are identified together with details of corrective action being undertaken.”

“The assessment and management of the principal risks, and monitoring of the associated controls, should be carried out as an on-going process, not seen as an annual one-off exercise.”

“It is the role of management, not the board, to implement and take day-to-day responsibility for board policies on risk and control. But the board needs to satisfy itself that management have understood the risks, implemented and monitored appropriate policies and controls, and are providing the board with timely information so that it can discharge its own responsibilities. In turn, management should ensure responsibilities are clearly established at all levels of the organisation.”

“All employees share responsibility for behaving according to the agreed risk culture. Management should ensure that employees have the necessary knowledge, skills, information, and authority to establish, operate and monitor the system of risk management and internal control.”

“The ability of the board to understand and address the risks facing the company is itself a major risk factor. The board needs to ensure that informed debate is possible and constructive challenge encouraged, and to keep under review the effectiveness of its decision-making processes.”

“As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depends on the individuals responsible for operating the systems that are put in place. In order to ensure the appropriate risk culture is in place it is not sufficient for the board simply to set the desired values. It also needs to ensure they are communicated by management, incentivise the desired behaviours and sanction inappropriate behaviour, and assess whether the desired values and behaviours have become embedded at all levels. ... This should include consideration of whether the company’s leadership and management style and structures, human resource policies and reward systems support or undermine the risk management and internal control system.”

“The board should identify what sources of assurance it requires and, where there are gaps, how these should be addressed. In addition to the board and its committees’ own monitoring activities, sources of assurance might include reports on relevant matters from any compliance, risk management and internal audit functions within the company, the external auditor’s communications to the audit committee about matters it considers relevant to the board and the audit committee in fulfilling their responsibilities, and other internal and external sources of information or assurance. “ (Note that, unfortunately, the FRC has not mandated that internal audit provide this assurance.)

“The board should satisfy itself that these sources of assurance have sufficient integrity, independence and expertise to enable them to provide objective advice and information to the board.”

“In addition to its on-going scrutiny, the board should undertake an annual assessment to ensure that it has considered all significant aspects of risk management and internal control for the company for the year under review and up to the date of approval of the annual report and accounts. The board should define the processes to be adopted for this assessment, including drawing on the results of the board’s on-going scrutiny such that it will obtain sound, appropriately documented, evidence to support its statement in the company's annual report and accounts.” (The document includes specific guidance on areas that should be addressed in the assessment.)

“In its statement the board should, as a minimum: acknowledge that it is responsible for that system and for reviewing its effectiveness; and disclose that there is an on-going process for identifying, evaluating and managing the principal risks faced by the company, that it has been in place for the year under review and up to the date of approval of the annual report and accounts, that it is regularly reviewed by the board, and to what extent it accords with the guidance in this document. ... The board should summarise the process it has applied in reviewing the effectiveness of the system of risk management and internal control. The board should explain what actions have been or are being taken to remedy any significant failings or weaknesses identified from that review, including the process it has applied to deal with material risk management or internal control aspects of any significant problems disclosed in the annual report and accounts.”

What strikes me most is the clear indication that a periodic review and assessment of a limited number of risks in a static risk register is not acceptable. This means that the majority of risk functions have to change!

The FRC has recognized that risks to the achievement of objectives change rapidly. Every decision not only creates or changes risk, but should be made with due consideration of risk.

The management of risk has to be part of everyday management, not a separate “compliance exercise.”

As I said, when the FRC speaks, we should listen, and they are effectively challenging the role of the Chief Risk Officer as being responsible for a risk management process that is separate from everyday management processes, with separate risk reporting (from performance reporting).

Organizations should make it clear that risk is “owned” by decision-makers, the people responsible for performance. The risk practitioner is there to teach management how to fish (i.e., consider risk as an inherent part of management and decision-making), not to give them fish.

I welcome your comments.

PS — my thanks to David Griffiths for bringing the document to my attention.

Posted on Nov 16, 2013 by Norman Marks

Share This Article:    

  1. Norman: I agree completely that the FRC draft guidance on risk and control is the best produced to date by a national regulator. Coincidentally, it was issued the day before I facilitated a risk workshop with the board of a public company in the UK. I wonder how many North American boards have completed formal risk assessments on key objectives including the ethics of their company's CEO and competence and ethics of the company's external auditors but suspect in spite of the new Canadian guidance to boards on risk oversight the answer is still not many. I expect as long as COSO drives the North American corporate governance agenda real progress in North America will continue to be slow. Canada appears to be content to follow the U.S. lead in this area. When COSO confirmed their 1991 decision that objective setting is not part of an integrated control framework in 2013 they created another handicap to real progress. The fact the SEC has endorsed COSO's work product amplifies the impact. The IIA as a member of COSO must also shoulder responsibility for COSO's decision not to integrate risk and control management in the 2013 guidance release. The UK explicitly rejected the use of COSO for external reporting on risk and control as a sub-optimal route in 2005. This will continue to give the UK a major advantage in the risk governance field.
  1.  Norman, thank you for sharing this. No need to say that both RM experts and management have to change their approach to the topic. Neverftheless we have to think about how we can prepare ourselves to meet those requirements keeping that level of effectiveness even in small-medium size organizations. Don't you think that a limited nr of risk scenarios, when clearly linked with corporate objectives, and a close relationship with all the assurance functions could help in finding the proper trade off between efficiency and effectiveness? 

  1. Thank you Norman for alerting us to this key development in thinking and spruking at the FRC level.  

    As a risk and assurance professional I am amazed that in the haste of trying to implement varying systems of governance, risk and internal control approaches have for many organisations tended to be treated as a set and forget compliance approach.

    I find this paper refreshing to highlight that the risk and internal control disciplines are required to be tailored, integrated to enhance the current business and cultural working models of an organisation.

    Risk Management is really about commonsense management,  wherein the risk discipline should be utilised to facilitate an organisation to focus, prioritise and effectiively allocate responsibility and ensure effective management of its risks (challenges & opportunities) to achieve its objectives.

  1. Great post Norman, thank you! Very interesting passages you have highlighted. However, I completely agree that the decision makers own the risk which directly compliments the performance. 

Leave a Reply