Reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective

Giving advice to the board and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk

Provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks

Approved by the board, of the extent and kind of risks an organization is willing to take in pursuit of its objectives

Sets out how risk will be managed within the organization

The company’s risk appetite

The effectiveness of the company’s public reporting processes

The issues dealt with by the board throughout the year under review

To what extent do the risk management and internal control systems underpin and relate to the company’s business model?

How are authority, responsibility and accountability for risk management and internal control defined, co-ordinated and documented throughout the organisation? How does the board determine whether this is clear, appropriate and effective?

How does the board satisfy itself that the information it receives is timely, of good quality, reflects numerous information sources and is fit for purpose?

How does the board ensure it understands the organisation’s exposure to each principal risk before and after the application of mitigations and controls, what those mitigations and controls are, whether they are operating as expected?

What are the processes by which senior management monitor the effective application of the systems of risk management and internal control?

In what way do monitoring and review processes take into an account an organisation’s ability to re-evaluate the risks and adjust the controls effectively in response to changes in its objectives, its business and its external environment?

How are processes or controls adjusted to reflect new or changing risks, or operational deficiencies?

Fraud

A serious violation of a law or regulation by the company or by directors, managers or employees within the company

A miscarriage of justice

Offering or taking bribes

Price-fixing

A danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption

Neglect of people in care

In the public sector, gross waste or misuse of public funds

Purpose, scope and coverage

Procedures for reporting a matter

What happens when communication is received from a whistleblower

Anonymity of the whistleblower

Communication with the whistleblower

Protection of the whistleblower

Building a culture of trust and openness

A statement that the organisation takes malpractice or misconduct seriously and is committed to a culture of openness in which employees can report legitimate concerns without fear of penalty or punishment

How are matters to be reported?

Who is going to be responsible for receiving issues?

Anonymity versus non-anonymity

Improprieties covered by the whistleblowing policy

Investigation, follow-up and reporting procedures

Protection for genuine whistleblowers

Globally, there is an ever-greater reliance on technology

Organisations are required to manage the risks associated with technological disruptions within their organisations

There is a growing recognition that cybersecurity should be high on the board’s agenda

Recent global cyberattacks have highlighted the importance of cybersecurity risk management for board directors

The consequences of a cybersecurity incident can be severe. The economic loss from an incident can be compounded by reputational damage, loss of trade secrets and the costs associated with implementing disaster recovery plans

Boards should ensure that the organisation’s information and technology are protected

Physical security if tech

Personnel management

Hardware & Software

To keep stakeholders informed about the co to enable them to make informed decision

Info should be accurate, accessible, timely, complete, balanced between positive & negative

Should set up who is authorized to disclose what info to which stakeholder group

These ind co-ordinate the statements that they will be making to their audience

Should set up what info should be public

Should set up what info should be kept confidential, who will have access & steps taken to protect that info

If disclosed, would move co's share price

The handling of this info would be set out in public

Natural Disasters (Fires, Flood, Storm)

IT Disruptions

Major Terrorist Attacks

Specify which operations are essential & must be kept going

Identify & analyse all potential threats to essential operation

Identify possible reactions to the threats to essential operation

Identify who should be responsible for keeping the public informed about the impact & recovery measures taken

Reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective

Giving advice to the board and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk

Provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks

Approved by the board, of the extent and kind of risks an organization is willing to take in pursuit of its objectives

Sets out how risk will be managed within the organization

The company’s risk appetite

The effectiveness of the company’s public reporting processes

The issues dealt with by the board throughout the year under review

To what extent do the risk management and internal control systems underpin and relate to the company’s business model?

How are authority, responsibility and accountability for risk management and internal control defined, co-ordinated and documented throughout the organisation? How does the board determine whether this is clear, appropriate and effective?

How does the board satisfy itself that the information it receives is timely, of good quality, reflects numerous information sources and is fit for purpose?

How does the board ensure it understands the organisation’s exposure to each principal risk before and after the application of mitigations and controls, what those mitigations and controls are, whether they are operating as expected?

What are the processes by which senior management monitor the effective application of the systems of risk management and internal control?

In what way do monitoring and review processes take into an account an organisation’s ability to re-evaluate the risks and adjust the controls effectively in response to changes in its objectives, its business and its external environment?

How are processes or controls adjusted to reflect new or changing risks, or operational deficiencies?

Fraud

A serious violation of a law or regulation by the company or by directors, managers or employees within the company

A miscarriage of justice

Offering or taking bribes

Price-fixing

A danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption

Neglect of people in care

In the public sector, gross waste or misuse of public funds

Purpose, scope and coverage

Procedures for reporting a matter

What happens when communication is received from a whistleblower

Anonymity of the whistleblower

Communication with the whistleblower

Protection of the whistleblower

Building a culture of trust and openness

A statement that the organisation takes malpractice or misconduct seriously and is committed to a culture of openness in which employees can report legitimate concerns without fear of penalty or punishment

How are matters to be reported?

Who is going to be responsible for receiving issues?

Anonymity versus non-anonymity

Improprieties covered by the whistleblowing policy

Investigation, follow-up and reporting procedures

Protection for genuine whistleblowers

Globally, there is an ever-greater reliance on technology

Organisations are required to manage the risks associated with technological disruptions within their organisations

There is a growing recognition that cybersecurity should be high on the board’s agenda

Recent global cyberattacks have highlighted the importance of cybersecurity risk management for board directors

The consequences of a cybersecurity incident can be severe. The economic loss from an incident can be compounded by reputational damage, loss of trade secrets and the costs associated with implementing disaster recovery plans

Boards should ensure that the organisation’s information and technology are protected

Physical security if tech

Personnel management

Hardware & Software

To keep stakeholders informed about the co to enable them to make informed decision

Info should be accurate, accessible, timely, complete, balanced between positive & negative

Should set up who is authorized to disclose what info to which stakeholder group

These ind co-ordinate the statements that they will be making to their audience

Should set up what info should be public

Should set up what info should be kept confidential, who will have access & steps taken to protect that info

If disclosed, would move co's share price

The handling of this info would be set out in public

Natural Disasters (Fires, Flood, Storm)

IT Disruptions

Major Terrorist Attacks

Specify which operations are essential & must be kept going

Identify & analyse all potential threats to essential operation

Identify possible reactions to the threats to essential operation

Identify who should be responsible for keeping the public informed about the impact & recovery measures taken