Understanding the FRC Code: Comprehensive Risk Management for Businesses
03 MarTaking Risk Management seriously
As featured in Information Age, Risk & Compliance Magazine, and netimperative.com
There’s no doubt that risk management has become a primary consideration for meeting corporate governance objectives in recent years. Increasingly, investors and regulators expect business leaders to identify the principal risks to the business, articulate how these risks are measured and managed, and explain how their strategy aligns with the organization’s culture and appetite for risk. Adding value is fundamental to business success, but any attempt to create value also brings the risk of miscalculation—and this is where many businesses fail. Failure often stems from an inability to understand the risks they face or to manage these risks effectively. Put simply, effective risk management is essential for long-term success.
Yet businesses face the same challenge worldwide. Continuous change, coupled with new technology, new markets, and increased competition, has raised both the rate at which these threats emerge and their potential impact. Unfortunately, most American businesses remain poorly positioned to comply with new standards. Back in September, Deloitte reported: “For the majority of businesses, especially those in less regulated industries… the adoption of these changes will represent a significant challenge.” Fast-forward a year, and Deloitte found that “many [organizations] do not yet have a risk process in place that goes sufficiently beyond the identification of principal risks. The detailed work required to really understand these risks, how they are being mitigated and monitored, and whether the risk profile is changing, is often either absent or currently happening in an uncoordinated way… there is also limited integration of the risk management process into key business planning and decision-making processes.”
What does the FRC’s UK Corporate Governance Code entail?
Previously, the UK Corporate Governance Code stated that the board of directors is responsible for maintaining sound risk management and internal control systems, which should be reviewed at least once a year. The updated code goes significantly further:
- Assessment of principal risks: Directors must carry out a robust assessment of the principal risks facing the company, including those that threaten its business model, future performance, solvency, or liquidity. They should also describe these risks and explain how they are being managed or mitigated.
- Monitoring of risk management and control systems: The board should monitor the company’s risk management and internal control systems, reviewing their effectiveness at least once a year. This monitoring and review should cover all material controls, including financial, operational, and compliance controls.
Essentially, directors of any company wishing to comply with the code must implement a single, comprehensive process for risk identification and management, which is continually monitored and regularly reviewed. Furthermore, they must explain what actions have been taken to address any identified failings or vulnerabilities.
Meanwhile, updated auditing standards require external auditors to state whether they have anything to add to the board’s statements on principal risks and the results of their reviews. This means that internal controls, monitoring tools, and reporting structures must be clearly evidenced or demonstrated to satisfy auditors that adequate measures are being taken.
While companies with a premium listing on the London Stock Exchange are subject to the code, it nonetheless represents best business practice. Consequently, it is reasonable to expect that a more comprehensive and integrated approach to risk management will come to be regarded as the standard for well-run companies.
What should forward-thinking businesses do?
There is no off-the-shelf solution to this problem. Technology, people, and processes must be considered in equal measure. From a technology perspective, solutions like those offered by CoreStream GRC provide a platform for centralizing risk management across the organization, along with a range of sophisticated tools that support the maintenance and review of risk registers. This brings several benefits:
- Integration of risks with controls: Risks can be linked to internal controls, mitigating action plans, policies, and processes, enabling the company to demonstrate what measures are in place to manage or mitigate risk.
- Automated reviews: Periodic or recurring reviews of risks and controls can be initiated automatically, ensuring that the system is properly maintained and regularly updated.
- Streamlined reporting: With all content in one place, reporting is automated and efficient. Real-time reports make it straightforward to identify issues that need attention and to determine whether specific risks or risk types are causing concern across the business. It also helps solve the data problem.
Remember: technology is an enabler, not a solution. Poor risk management is primarily a matter of people and processes, and acquiring new tools alone won’t change this. However, once underlying problems are addressed, technology allows risk management to be more coherent, efficient, and less burdensome.
An opportunity for improvement
At the end of the day, the FRC’s updated standards provide an opportunity for businesses to improve. Embedding risk management within the organization and ensuring that it is integral to planning and decision-making processes simply makes good business sense. It focuses business leaders on the company’s core, value-adding operations and encourages them to address risk proactively. This approach produces better-quality, more timely management information, which, in turn, leads to better business decisions and an organization that is both more cohesive and far more responsive to change.
FAQ for risk management
What is the importance of risk management in corporate governance?
Risk management is critical in corporate governance because it enables businesses to identify and address risks that could threaten their operations, strategy, and financial stability. It aligns the organization’s risk appetite with its goals and helps maintain compliance with regulatory requirements.
What role does technology play in risk management?
Technology acts as an enabler by centralizing risk management activities, automating periodic reviews, and streamlining reporting. Platforms like CoreStream GRC help integrate risks with controls, policies, and action plans while improving efficiency and coherence.
What benefits do centralized risk management platforms provide?
Centralized platforms:
- Link risks with controls and action plans.
- Automate reviews and updates.
- Provide real-time, efficient reporting to highlight key issues.
How can businesses prepare for compliance with updated risk management standards?
Businesses should:
- Establish comprehensive risk identification and management processes.
- Regularly monitor and review these processes.
- Embed risk management into planning and decision-making.
- Ensure clear documentation to satisfy regulatory and auditing requirements.
COMPANY
CoreStream Ltd
20 Grosvenor Pl,London,
SW1X 7HN
4th Floor,
New York,
NY 10017
Privacy Overview
| Cookie | Duration | Description |
|---|---|---|
| _GRECAPTCHA | 5 months 27 days | Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks. |
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
| Cookie | Duration | Description |
|---|---|---|
| _clck | 1 year | Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID. |
| _clsk | 1 day | Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording. |
| _ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
| _ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
| _gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
| CLID | 1 year | Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited. |
| MR | 7 days | This cookie, set by Bing, is used to collect user information for analytics purposes. |
| SM | session | Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains. |
| vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
| Cookie | Duration | Description |
|---|---|---|
| ANONCHK | 10 minutes | The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well. |
| MUID | 1 year 24 days | Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. |
| Cookie | Duration | Description |
|---|---|---|
| __cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
| Cookie | Duration | Description |
|---|---|---|
| _gat | 1 minute | Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites. |
| _uetsid | 1 day | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| _uetvid | 1 year 24 days | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| SRM_B | 1 year 24 days | Used by Microsoft Advertising as a unique ID for visitors. |
