Updated governance code continues to highlight risk management

An FRC guidance note sets out best practice on risk management and provides a useful framework for treasury professionals

In July 2018, the UK’s Financial Reporting Council (FRC) published its updated UK Corporate Governance Code, which includes guidance on risk management. In the updated Code, there is reference to another useful publication from the FRC – a publication that makes some highly relevant points for treasury professionals.

The guidance note aims to:

  • bring together elements of best practice for risk management;
  • act as a prompt for boards to consider how to discharge their responsibilities in relation to existing and emerging principal risks;
  • reflect sound business practice, whereby risk management and internal control are embedded in the business process by which a company pursues its objectives; and
  • highlight related reporting responsibilities.

Although aimed at boards and board committees of companies with a primary listing, treasury professionals involved in the production and delivery of treasury risk policies will also find the guidance note useful, because it sets out best practice for risk management in a high-level form.

In addition, it provides descriptions of the viability statement and the statement on risk management and internal control – key risk management disclosures within annual reports that treasury professionals may have to contribute to, depending on their role.

Board responsibilities for a company’s risk management are set out in section 2 of the code. Those relevant to treasury are summarised below:

  • design and implement appropriate risk management and internal control systems;
  • identify and assess principal risks;
  • determine those risks which the company is willing to take to achieve its strategic objectives – its risk appetite;
  • agree how the principal risks should be managed and mitigated;
  • monitor and review the risk management and internal control systems; and
  • ensure sound internal and external communication.

Section 4 of the guidance note sets out the benefits and requirements of risk management and internal control systems. Key points relevant to treasury are summarised below:

  • risk management systems help reduce the likelihood and impact of risk taking that exceeds levels agreed by the board;
  • risk management systems should be embedded in the operations of the company;
  • risks may include financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk;
  • the design of risk management systems should be appropriate to the complexity, size and circumstances of the company; and
  • when reviewing risks, the following should be considered: (1) the likelihood and impact of risks materialising (ie risk assessment); (2) the exposure to risks before and after they have been managed or mitigated; and (3) the effectiveness, costs and benefits of controls.

Section 5 provides guidance on the monitoring and review of risk management and internal control systems. It states that “Effective and ongoing monitoring and review are essential components of sound systems of risk management and internal control.” This section also sets out what should be included in the annual review of effectiveness.

Section 6 addresses reporting requirements (such as the viability statement and statement on risk management and internal control), and appendix C contains a set of useful questions on risk management – some of which treasury professionals could use as a checklist when developing treasury risk policies and controls.

Risk appetite*

The guidance note states that the board is responsible for determining the nature and extent of the principal risks faced and those risks that the organisation is willing to take in achieving its strategic objectives. No further advice is provided in the guidance note on producing risk appetite statements, although it is a key component of the risk management process and usually the most difficult part.

Each key risk in treasury (liquidity, interest rate, funding, fx risks and so on) should have a corresponding risk appetite statement. The following points should be considered when setting risk appetite for treasury risks:

  1. Existing risk management standards and procedures in the company should be used to ensure consistency and avoid duplication of effort, for example, risk policy templates if they exist and agreed risk terminology and definitions.
  2. The corporate objectives and risk appetite statements at the company level should be taken into account (if they exist). In some cases, the board or board committees may have allocated risk appetite to different parts of the company, including treasury.
  3. The risk appetite for each treasury risk should be measurable and not a high-level general statement. For example, risk appetite statements could refer to the impact on profits or cash flow.
  4. Risk exposures should be first assessed by determining the likelihood of the risk arising, its potential magnitude and speed of it materialising. ‘Value at Risk’ measures are a useful way of quantifying risk exposures.
  5. Risk appetite should be developed by taking into account the risk capacity of the company – that is the amount of risk that the company can bear and which can have financial and non-financial dimensions. The risk capacity could be expressed as £x million of cash or £y million of accounting loss.
  6. The size and sophistication of the treasury function will be a factor in determining risk appetite and risk attitude (cost or profit centre?).
  7. The link between key risks (including non-treasury risks) should be understood and used to produce risk appetite. For example, if interest rate changes are found to be negatively correlated with sales, then management may decide to have a higher risk appetite for interest rate exposure. This is why it is important that all key risks are reviewed regularly together in a body such as a risk committee or the board.
  8. Risk appetite statements produced in treasury should be reviewed and approved by senior management.
  9. Once the risk appetite for a risk has been determined and approved, it should be compared with the actual risk exposure on a regular basis so that the risk exposure can be managed to agreed levels, for example, by hedging, if necessary. Risk limits and trigger points can be developed once risk appetite has been set and are important tools in managing risk. As with risk appetite, risk limits and trigger points should be measurable.
  10. Risk appetite should be reviewed regularly, when the company profile changes or if there are significant changes in the economic or competitive environment. For example, if the company makes a large acquisition, it may be necessary to reduce leverage to mitigate increased integration or business risk.

Treasury professionals should find the guidance note useful background for understanding governance requirements at larger companies in the UK and helpful when dealing with risk management, including the production of treasury policies and design of risk and control systems.

Given their skills and experience, treasury professionals can make a valuable contribution to a company’s overall risk management and control systems, including the production of risk appetite statements. The FRC’s guidance note provides a useful framework for this task.

Check out the earlier article on the FRC’s updated Corporate Governance Code as it relates to treasury professionals..

*Risk appetite is the amount and type of risk a company is willing to take to meet its objectives

About the author

Gurdip Dhami is a treasury consultant and ACT member

Scroll to top