Should the board's responsibility for setting strategic risks be made more explicit?

The Financial Reporting Council (FRC) has suggested further consideration of whether a company board’s responsibility for strategic risks and setting risk appetite should be made more explicit in the Combined Code on Corporate Governance, following comments by AIRMIC.

The FRC is conducting a review of the Combined Code and will publish a final report later in the year. Over half of the 114 respondents to the consultation commented on one or more aspects of risk management and internal control.

In its joint submission with the IRM at the initial consultation stage, AIRMIC drew attention to the difference between internal audit and risk management. The latter, it said, was a forward-looking executive role that anticipated and evaluated risks and developed effective controls to deal with them.

In its comments, prepared by technical director Paul Hopkin, AIRMIC said that the existing Turnbull guidance on the internal control requirements of the code focused

on the need for adequate control of significant risks facing a company. It was not sufficiently detailed in relation in terms of forward-looking risk management activities.

‘It is not possible to have full confidence in the relevance of control activities unless the identification of those controls has been validated by a sound risk management process.’

AIRMIC’S view is that future guidance should be aligned with the requirements of the newly published British Standard BS 31100 and the soon-to-be published ISO 31000. The additional guidance could be provided in the format of a specific report on risk management, or else the Turnbull report could be revised and developed into combined risk management and internal control guidance, AIRMIC proposed.

All documents are available from the FRC at