Every Director knows they need to ensure that their company is managing risk. But what does that mean in practice, and what does the law require of a company Director with respect to risk management and controls?
The main areas of statutory law applicable to risk management are the Financial Services and Markets Act 2000 and the Financial Reporting Council UK Corporate Governance code. The code states the following with regards to Risk Management and Internal Control:
'The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems'.1
Under the Financial Services and Markets Act 2000 the Board of all publicly listed companies must disclose how they have complied with the code or explain any areas where they have not. Effectively, this makes risk management a legal obligation for Directors of a listed company.
So what are these obligations? In order to determine this, it is necessary to refer to both the code itself and the FRC guidance on risk management and internal controls.2 Here is a high level summary of the key responsibilities that a Director has under the code:
- Design and implement appropriate risk and control systems
- Perform a robust assessment of the principal risks to the business
- Agree on the approach for managing these principle risks
- Determine the risk appetite of the organisation
- Embed an appropriate culture and reward system for the management of risk
- Appraise and monitor risk management in the organisation, carrying out a review of the effectiveness of these systems at least annually
- Ensure the publication of risk management information in the annual report
It is evident that there is a lot left to the interpretation of individual Directors and their Boards with regards to the risk management systems they implement. However, it’s also clear that there is an expectation that Directors will take the management of their business risks seriously and that legal consequences could follow if they don’t.
1. Section C.2: Risk Management and Internal Control