Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
5 August 2016

7 things Directors should know: FRC Risk Management responsibilities

conference_room.jpgEvery Director knows they need to ensure that their company is managing risk. But what does that mean in practice, and what does the law require of a company Director with respect to risk management and controls?

The main areas of statutory law applicable to risk management are the Financial Services and Markets Act 2000 and the Financial Reporting Council UK Corporate Governance code. The code states the following with regards to Risk Management and Internal Control:

'The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems'.1

Under the Financial Services and Markets Act 2000 the Board of all publicly listed companies must disclose how they have complied with the code or explain any areas where they have not. Effectively, this makes risk management a legal obligation for Directors of a listed company.

So what are these obligations? In order to determine this, it is necessary to refer to both the code itself and the FRC guidance on risk management and internal controls.2 Here is a high level summary of the key responsibilities that a Director has under the code:

  1. Design and implement appropriate risk and control systems
  2. Perform a robust assessment of the principal risks to the business
  3. Agree on the approach for managing these principle risks
  4. Determine the risk appetite of the organisation
  5. Embed an appropriate culture and reward system for the management of risk
  6. Appraise and monitor risk management in the organisation, carrying out a review of the effectiveness of these systems at least annually
  7. Ensure the publication of risk management information in the annual report

It is evident that there is a lot left to the interpretation of individual Directors and their Boards with regards to the risk management systems they implement. However, it’s also clear that there is an expectation that Directors will take the management of their business risks seriously and that legal consequences could follow if they don’t.

1. Section C.2: Risk Management  and Internal Control