Director Development Centre

Principal: Richard Winfield

Internal control procedures*

Directors have a fiduciary duty to the shareholders.

All directors should take great care that they are able to fulfil this duty, for their own personal protection as well as for the shareholders and other stakeholders.

Most major corporate scandals have been the result of directors being unaware of the true financial position of the organisation for which they are responsible.

Every organisation should have a robust system of financial control. The organisation's auditors should be encouraged to review the controls in the business and report to the directors on their findings.

Internal control includes financial, operational and compliance controls and risk management.

Successful business involves taking risks. The purpose of internal control is to help manage and control risk appropriately, rather than to eliminate all risks, since profits are in part the reward for successful risk taking in business.

Risk assessment and control should not be limited to financial risks but should also include other relevant matters. These include external factors that should be exposed in the PEST analysis as well as an increasing range of other factors such as employment litigation, loss of key individuals, succession planning, IT failure/data loss, reputation risk etc.

There are four possible responses to risk: -

• Avoid the risk. Do not commit to planned action and abandon the proposed project.
• Mitigate the risk. Invest in standby equipment, duplicate or triplicate critical components, train staff or adopt risk policies such as requiring senior executives to travel in different vehicles.
• Transfer the risk. Insure against the risk or otherwise spread the exposure to third parties.
• Retain the risk. In this case the board must evaluate the impact of a worst case scenario and the ability of the organisation to recover. Different organisations have different appetites for risk, as well as varying resilience to disaster.

Corporate governance

Does the board set appropriate policies on internal controls, seek regular assurance that the system is working satisfactorily, and ensure that the system is effective in managing risks?

Does the board consider: -

• The nature and extent of the risks facing the organisation, which risks are acceptable and to what extent?
• The likelihood of the risks materialising?
• The organisation's ability to reduce the incidence and impact on the business of risks that do materialise?
• The cost of operating particular controls relative to the benefits of managing the associated risks?

* Inspired by the Institute of Directors Standards for the Board