Abstract:
Risk is a Board responsibility, which cannot be delegated. The boundaries of the
audit committee lie somewhere below strategic risk, which is a Board function,
and above detailed internal control, which belongs to management. However, there
was no consensus about just where those boundaries lie. The flipside of risk is
opportunity, and the Board should set a risk appetite for the organisation that
reflects this. The Combined Code suggests a role for a Board-level risk
committee, comprising independent non executives. The participants in the
discussion did not think this to be practical: risk management must involve
executives. There is a danger that too much focus on the process of risk
management could lead to complacency or to a lack of focus on the risks
themselves. The review of risk at Board and audit committee level necessitates
having non executive directors with a suitable range of backgrounds. The skills
mix, as well as financial, should include high-level business knowledge, for
example the understanding of significant opportunities/risks specific to the
business. A key aspect of risk management is understanding the culture of the
organisation. Non executives, with limited contact below Board level, may find
difficulty in understanding the culture at lower levels of the organisation. The
audit committee's role in risk management requires a strong relationship with
the internal audit function of the organisation, one of whose roles is as a
‘financial policeman'. Different types of risk should be addressed in different
ways. Financial, operational and strategic risk have little in common, and their
management and review should reflect the context of the particular compan
