Commentary

The board’s responsibility and objective for risk management and internal control

This section of the Code of Practice on risk management and internal control is intended to clarify the supervision responsibilities of the board of directors.

The objective for risk management and internal control is to manage, rather than eliminate, exposure to risks related to the successful conduct of the company’s business and to support the quality of its financial reporting. Effective risk management and good internal control contribute to securing shareholders’ investment in the company and the company’s assets.

Internal control comprises guidelines, processes, duties, conduct and other matters that:

• facilitate targeted and effective operational arrangements for the company and also make it possible to manage commercial risk, operational risk, the risk of breaching legislation and regulations as well as all other forms of risk that may be material for achieving the company’s commercial objectives.
• contribute to ensuring the quality of internal and external reporting
• contribute to ensuring that the company operates in accordance with the relevant legislation, regulations and internal guidelines for its activities, including the company’s corporate values, its ethical guidelines and its guidelines for corporate social responsibility.

The board of directors must form its own opinion on the company’s internal controls, based on the information presented to the board. Reporting by executive management to the board of directors should give a balanced presentation of all risks of material significance, and of how the internal control system handles these risks.

The company’s internal control system must, at a minimum, address the organisation and execution of the company’s financial reporting. Where a company has an internal audit function, it must establish a system whereby the board receives routine reports and ad hoc reports as required. If a company does not have such a separate internal audit function, the board must pay particular attention to evaluating how it will receive such information.

Ethical guidelines should provide guidance on how employees can communicate with the board to report matters related to illegal or unethical conduct by the company. Having clear guidelines for internal communication will reduce the risk that the company may find itself in situations that can damage its reputation or financial standing.

Annual review by the board of directors

The board’s annual review of risk areas and the internal control system should cover all the matters included in reports to the board during the course of the year, together with any additional information that may be necessary to ensure that the board has taken into account all matters related to the company’s internal control.

The review should pay attention to:

• changes relative to previous years’ reports in respect of the nature and extent of material risks and the company’s ability to cope with changes in its business and external changes
• the extent and quality of management’s routine monitoring of risks and the internal control system and, where relevant, the work of the internal audit function
• the extent and frequency of management’s reporting to the board on the results of such monitoring, and whether this reporting makes it possible for the board to carry out an overall evaluation of the internal control situation in the company and how risks are being managed
• instances of material shortcomings or weaknesses in internal control that come to light during the course of the year which have had, could have had or may have had a significant effect on the company’s financial results or financial standing: and
• how well the company’s external reporting process functions.

Reporting by the board of directors

The board’s account in the annual report of the main features of the company’s internal control and risk management systems as they relate to the company’s financial reporting should include sufficient and properly structured information to make it possible for shareholders to understand how the company’s internal control system is organised. The account should address the main areas of internal control related to financial reporting. This includes the control environment, risk evaluation, control activities, information and communication and follow-up.

If the company uses an established framework for internal control this should be disclosed. Examples of this include the framework for risk management and internal control published by the Committee of Sponsoring Organizations of the Treadway Commission.