This document summarizes a presentation on risk management and the role of the company secretary. It discusses why risk management is important for objectives, opportunities, decision making and performance. It outlines the expanding role of the company secretary in risk oversight and compliance. It also describes elements of an effective risk management framework including governance, risk management, compliance and setting risk appetite. Specific risks like cybersecurity and fraud are used as examples. The responsibilities of the board, management and company secretary in the risk management process are defined.

1. 1
Risk Management and the Company Secretary
Gerard Joyce & David Devereux
Dublin
2nd April 2019

2. Overview
• Introduction
• Company Secretary’s (expanding) Role
• Elements of a Risk Management Framework
• Role and Responsibilities of the Board
• Role of the Company Secretary
• Cyber Risk Example
• Fraud Risk Example

3. Brakes Allow a Car to go Fast
3

4. Why Do Risk Management?
Because:
• Objectives
• Focus
• Forward looking
• Process identifies opportunities
• Better / Informed decision making
• Improved performance
• Effective governance demands It
4

5. The Expanding Role of the CS
Note Taker
Advisor to the Board
Duties, Obligations, Effective Board Processes
Responsible for Corporate Governance
Compliance with law
Submit reports / filings, maintain registers
Communication
With management, other stakeholders

6. Risk Management System
An effective risk management system identifies and assesses risk,
decides on appropriate responses and then provides assurance
that the chosen responses are effective.(Code of Practice for the Governance of State
Bodies)

7. Governance, Risk and Compliance
reliably achieve objectives [GOVERNANCE],
while addressing uncertainty [RISK MANAGEMENT] and acting
with integrity [COMPLIANCE] (Michael Rasmussen)
Governance
Risk
Management
Compliance

8. Risk Management Framework

9. The Role and Responsibilities of the Board
Risk Oversight
– Set the Risk Appetite
– Approve risk management policy
– Demand a robust risk management process
– Ensure processes aligned with strategy / objectives
– Appoint one individual to drive / report
– Monitor the risk management system
– Make risk a periodic agenda item
– Review risk information including incidents
– Review effectiveness of controls

10. Risk Appetite – How Much is Too Much
Risk Capacity
is the maximum amount of risk which the organisation is technically
able to assume before breaching constraints determined by capital,
borrowing capacity, regulations, reputation and operational
environment.
Risk Management Capability
the ability to manage risk exposures within desired risk limits.
(Understanding, measurement, skills & knowledge, controls and
oversight, culture..)
10

11. The Role of the Company Secretary
• May be the effective Chief Risk Officer
• May be consultant at the beginning of the journey
• May be the go-between when the RO is bringing a report to the
Board
• May be the Compliance Officer and a contributor to the overall
Risk Profile report

12. The Role and Responsibilities of Management
• Advise Board on RM policy and processes
• Define how risk is to be managed
• Implement the risk management framework
• Communicate policy and process to all
• Identify, Analyse, Treat Risks
• Monitor performance
• Implement risk mitigation plan
• Report to the Board

13. Reporting – What Boards Should Know
• What is the overall risk profile?
• What are the Top 10 risks
• What is threatening the Objectives
• Are existing controls working / effective?
• Have there been any near misses / incidents?
• Where are the gaps?
• Confirmation of the overall compliance position
• What is being done to address the gaps?
• Key Risk Indicators (KRIs)
Risk Management Fundamentals 13

14. Key Risk Indicators
Exposure Indicators
Changes in the nature of the business environment
Interest rates, exchange rates, unemployment rate, financial results of key customers, outstanding debt
Stress Indicators
Significant rise in the use of resources (people / material)
Sick days, accidents, system downtime, customer complaints, order levels, helpdesk calls
Causal Indicators
Drivers of some key risks to the business
Time to fill vacant positions, training completed, equipment age
Failure Indicators
Poor performance and failing controls
Missed targets, fraud, complaints, audit findings, data breaches, policy breaches
14

15. Example Data Breach Risk
15
Employee - Intentional
Unauthorised Access
Employee - Unintentional
Data
Breach
IT Glitch
Policy
Procedures
Training & Education
Checks
Robust Contracts
Strong Access Control
Encryption
Due Diligence
Data Classification
Monitor Feedback
Measure Service
Monitor Network Traffic
Maintain Good Comms
Monitor Data Integrity
Monitor Press / SocMed
Response Plan
Privacy Impact
Notification Plan
Communications Plan
Collect Evidence
Review Controls
Document Action
Cyber Insurance

16. ICSA
RISK MANAGEMENT
David Devereux - Director, BDO Risk & Advisory Services
2nd April 2019

17. 17
BDO RANGE OF SERVICES
The BDO Global Risk Advisory Services practice shares the knowledge and best
practices gained from years of experience operating across 162 countries and
territories.
• Risk Management Framework Implementation
• Board Effectiveness
• Internal Audit
• Controls Advisory and Assessment
• SOx
• Corruption, Financial Reporting & Fraud Investigations
• Fraud and Anti-Corruption Compliance
• Investigative Due Diligence
• Forensic Accounting and Technology Services
• Cyber Risk Management

18. THANK YOU
DAVID DEVEREUX | DIRECTOR, BDO RISK & ADVISORY SERVICES