Guidance on the Regulation on Risk Management and Internal Control

The guidance applies to:

All

About the Regulation

The purpose of the Regulation of 22 September 2008 No. 1080 is to improve companies' risk management and internal control by elaborating on the responsibilities of the board and management beyond what follows from company law rules and special legislation rules. The Regulation replaces the Regulation of 20 June 1997 No. 1057 on clarification of control responsibilities, documentation, and confirmation of internal control. The new Regulation does not entail extensive material changes, but takes into account changes in other legislation and the development in the theoretical basis for risk management and internal control. In addition, the scope of application is expanded to include new types of companies under the supervision of the Financial Supervisory Authority (Finanstilsynet). The Guidance replaces Circular No. 16/2003.

The Regulation and this Guidance are generally formulated, and not everything mentioned will be equally relevant for all. Companies' risk management and internal control shall be adapted to the nature, scope, and complexity of the business, cf. § 2. The work with risk management and internal control is an ongoing process that will mature and improve over time. The Financial Supervisory Authority assumes that companies that have been subject to the previous Regulation have competence and experience from the implementation of the relevant processes. Therefore, particular emphasis is placed on providing guidance to the new companies subject to the Regulation, and to small companies. The Regulation sets minimum requirements for the company's processes for, and documentation of, risk management and internal control. The Guidance provides advice on what the Financial Supervisory Authority will emphasize in the supervisory follow-up.

Chapter 1 - Preliminary Provisions

§ 1 Scope of Application

The scope of the Regulation is expanded to also cover:

• Collection agencies
• Accounting firms

The Regulation also applies to companies subject to the capital requirements legislation. However, an exception has been included in § 6, third paragraph, which is intended to reduce unnecessary double work for companies regulated by the Financial Undertakings Act. A corresponding solution is intended for the insurance sector when the Solvency II legislation is implemented.

For parent companies in financial groups, the Regulation applies to risk management and internal control at the group level. However, this does not reduce the responsibilities and obligations of subsidiaries and their boards. The group head is responsible for risk management in the group and must be aware of risk assessments made in subsidiaries covered by the Regulation.

Lawyers who conduct real estate brokerage or collection activities by virtue of their personal authorization will not fall within the scope of the Regulation.

§ 2 Proportionality

The principle of proportionality is not new, but has been included to clarify that what constitutes good and sufficient risk management and internal control may vary. Each individual company must make this assessment itself in relation to the nature, scope, and complexity of the business.

The provision allows for less extensive requirements for the risk management and internal control process for small companies than for large companies. The same may apply to companies with a narrow product range, for example "monoline" insurers.

Factors in an overall assessment may include:

• Number of employees
• Turnover
• Whether there are frequent changes in the market or the products offered
• How easy it is for the managing director and other leaders to control that the business is conducted according to the procedures and rules that apply, and how extensive control is necessary to maintain such an overview
• Whether the legislation places special requirements on customer protection
• What opportunity customers have to independently control the quality of the service offered

Chapter 2 - Responsibility for Risk Management and Internal Control

§ 3 The Board

According to the Regulation, the board must ensure that risk management and internal control are secured to a sufficient extent and in a systematic manner. The board is free to find a practical and clear form for how this is done.

The principles for risk management and internal control should briefly indicate how the company should emphasize matters of significance for ensuring sound operations, such as the division of roles between the board, management, and other controlling functions, organizational matters, systemic matters, and how authority is to be delegated.

The board must ensure that measures are established and implemented to correct or reduce weaknesses found, and that considerations of risk management and internal control are included in the assessment when making decisions about significant changes in the business.

To the extent that the company uses systems or "package solutions" from industry organizations, chain management, or other external suppliers, the board must make its own substantive assessments of necessary adaptations to its own company.

The board is required to assess the need to establish internal audit in the company (§ 9). The Financial Supervisory Authority may, in connection with supervision, ask the board for a justification for why the company does not find it necessary to establish internal audit.

Some companies are subject to rules on risk management and internal control in other legislation. Depending on the scope and complexity of the business, requirements for, for example, risk assessments under these rules may fulfill some requirements in this Regulation. In such cases, it should appear in the board's principles on risk assessment and internal control, or other board decisions.

In small companies, division of labor and independent control can be a challenge. The board should assess whether there is a need for special control measures if it is difficult to maintain sufficient independence and division of labor between executing and controlling functions.

The board of companies acting as intermediaries, providing advice, or managing client funds must ensure that the company's risk management and internal control covers the protection of the customer's interests, including the company's compliance with general rules of good conduct or provisions in special legislation given with regard to client protection.

§ 4 Managing Director

The managing director is responsible for establishing a good control environment at all levels in the company. The managing director should engage in the entire risk management process. In smaller companies, the managing director will often participate in the process itself. In larger companies, the managing director will be responsible for initiating the process, engaging in the overall risk assessment, actively assessing whether the steering and control apparatus is sound, and following up that line managers participate actively.

The managing director must ensure that the board is sufficiently informed about the main features of the company's risk management and internal control. How extensive this reporting should be, what should be reported when and how, should appear in the board's principles.

Regarding the professional practice of real estate brokerage, the managing director of a real estate brokerage company is exempt from the duties under § 4. These duties are placed on the company's professional responsible person, cf. Regulation of 23 November 2007 No. 1318 § 2-8. There is no corresponding exemption for accounting firms that use the exemption in the Accounting Firms Regulation § 1-3.

§ 5 Outsourcing

In the event of outsourcing, the company must ensure, on its own initiative or through formalized cooperation with other companies than the supplier, that the organization possesses sufficient competence to manage the outsourcing agreement. This will, for example, apply to settlement functions and ICT systems.

Chapter 3 - Risk Management and Internal Control

§ 6 Risk Management

The purpose of § 6 is to contribute to a reassuring risk assessment process and awareness of risk in the company. The risk assessment is the starting point for assessing the need for new and changed control measures, and must be carried out prior to changes in the organization, launch of new products, and expansions to new markets. It is important that risk assessments are also made in connection with major internal or external unforeseen events.

What is risk management?

The company's risk management is what the company does through strategy, organization, procedures, and sound operations to achieve set goals and secure its and its customers' values, as well as reliable reporting and compliance with laws and regulations. This involves more than what has traditionally been perceived as internal control.

There are several recognized frameworks for risk management. These constitute important theoretical foundations, but are not assumed to be known by everyone. Most commonly used in Norway are the so-called COSO frameworks. COSO is an organization, originating in the USA, which has issued several reports and frameworks on risk management and internal control (www.coso.org).

Risk management is therefore not a concept with a unique content, and may also vary over time. One definition of (holistic) risk management is given in COSO 2:

"Holistic risk management is a process, carried out by the company's board, management, and employees, applied in setting strategy and across the company, designed to identify potential events that may affect the company and to handle risk so that it is consistent with the company's risk appetite, to provide a reasonable degree of assurance for the company's achievement of its objectives." (Holistic Risk Management – An Integrated Framework (COSO 2, 2004/2005, published in Norwegian by the Norwegian Association of Internal Auditors))

Central components of holistic risk management according to COSO 2 are:

• Internal Environment – The internal environment is the basis for employees' attitude towards risk. It also includes philosophy for risk management and risk appetite, integrity and ethical values, and the environment in which they operate.
• Establishment of Objectives – Objectives must exist before management can identify potential events that may affect the achievement of these. Holistic risk management ensures that management has in place a process for establishing objectives, and that the chosen objectives support and are consistent with the company's purpose and reflect its risk appetite.
• Identification of Events – Internal and external events that affect a company's achievement of its objectives must be identified, and a distinction is made between risks and opportunities. Opportunities are channeled back to management's processes for setting strategy or objectives.
• Risk Assessment – Risks are analyzed, and probability and consequence are assessed, as a basis for deciding how they should be handled. Both inherent and residual risk are assessed.
• Risk Handling – Management chooses forms of risk handling – avoiding, accepting, reducing, or sharing risk – and develops an action plan to bring the risk in line with the company's risk tolerance and risk appetite.
• Control Activities – Guidelines and procedures are established and implemented to ensure that risk handling is carried out in an effective manner.
• Information and Communication – Relevant information is identified, captured, and communicated in a form and time early enough for employees to fulfill their responsibilities. Effective communication also occurs in a broader sense, both vertically and horizontally in the company.
• Follow-up – The holistic risk management process is followed up and changed as needed. Follow-up is carried out through ongoing management activities, independent evaluations, and internal audit.

In small companies, the fact that there are few employees is a risk in itself. Particular risk factors may include:

• Vulnerability in the loss of competence
• Lack of competence to control specialists in one's own company
• Dependence on individuals
• Problems with getting good enough division of labor and independent control
• That the managing director participates in the business themselves
• That the control apparatus and management function do not grow in line with the business

How to implement risk management?

A holistic assessment of risks and associated control measures must be carried out at least once a year. There is no requirement that this be done at specific times, or that analyses of individual areas must be carried out simultaneously.

The special provision in § 6 last paragraph for companies subject to the capital requirements legislation is intended to reduce the need for approximately similar processes under two different sets of rules. Banks that have permission to provide investment services under the Securities Trading Act are, however, subject to § 6 when it comes to this business. That is, this part of the business in banks is not covered by the exception.

§ 7 Implementation of Internal Control

Internal control is a process, carried out by the board, management, and employees, designed to provide a reasonable degree of assurance to achieve the company's goals. Leaders should actively engage in assessing whether established risk management and internal control are implemented as intended within their own area of responsibility. It is not sufficient to rely solely on, for example, compliance departments or internal audit conclusions. The individual leader is free to choose the form of work. Reports from internal audit and statements from the external auditor can be of good help in the work, but the cooperation should not be so extensive that it undermines the independence of these functions.

Compliance and follow-up require that leaders at all levels in the organization implement and monitor approved control measures within their own area of responsibility. This is necessary to be able to intervene when controls fail or prove to be too weak. The Regulation does not place special requirements on how monitoring should take place, but keywords can be personal presence, inquiries in meetings with employees, spot checks and other special investigations, review of key figures, deviation measurement in IT systems, and follow-up of auditor reports.

There must be a systematic arrangement for monitoring, and the arrangement must be regularly re-evaluated. The managing director must be prepared for the board, control committee, internal audit, external auditor, or the Financial Supervisory Authority to ask to be informed.

Small companies do not need complicated systems to carry out a satisfactory internal control. Simple procedures and controls must still be in place. This can, for example, be having:

• Deputies
• Procedures for countersignature on received invoices and payments from client accounts
• Written case handling procedures in central areas
• Checklists for actions performed in case handling in central areas
• Written control procedures with specification of control points, documentation basis, responsibility for implementation, deadlines/frequency, etc., where it appears which control is to be performed (for example, which points in a case are to be checked), what is to be checked (for example, case files, journals, etc.), who is to perform the controls and the frequency of them (for example, at least three cases per month, all journals at the end of each month, etc.)
• Checklists for performed control actions with specification of deviations, how deviations have been followed up, and measures/procedure changes to prevent repetitions, and that it has been reported upwards

§ 8 Documentation and Reporting

The purpose of the regulatory requirement is to ensure that sufficient information about the implementation of risk management and internal control, including about registered breaches and weaknesses, is reported to management and the board. To achieve this, a systematic arrangement for monitoring and reporting must be established that covers all levels in the organization. Even if significant weaknesses and errors are corrected immediately, these must be reported so that those responsible for control can assess whether initiated measures are appropriate and whether internal control works as intended.

Important guidelines, procedures, and control measures must be in writing. It must be documented that a risk assessment has been carried out.

The company is otherwise free to choose the form of documentation. The documentation should reflect work procedures, control routines, and significant risk assessments, so that the board and managing director can take a position on whether the company has assessed risks and control measures in all activity areas. It should appear how leaders at different levels have participated in the process.

Chapter 4 - Internal Audit or Independent Confirmation

§ 9 Internal Audit

Internal audit must, independent of management, carry out systematic risk assessments and investigations of internal control to ensure that it works in a purposeful and reassuring manner. The board must approve the allocation of resources to internal audit and annual plans for the business.

Internal audit is an important link in the board's monitoring of risk management and internal control. The function is particularly relevant in large and complex organizations, but also in smaller companies with high operational risk. Internal audit involves strengthening internal control and may be worth considering even in companies that are not required to have internal audit.

Internal audit is an independent professional field, with its own standards, methods, and ethical rules. The Norwegian Association of Internal Auditors develops standards within the professional field. The internal audit function can be outsourced entirely or partially. The company's external auditor cannot be the internal auditor as this is contrary to the Auditor Act § 4-5 second paragraph.

The requirement for internal audit enters into force no later than at the time when the managed capital has exceeded the limit of ten billion kroner for more than 12 months, unless the company can prove that the managed capital will come below the limit within the next six months.

For collection companies, the debt portfolio will not be considered part of the managed capital according to the Regulation. The board must, however, in accordance with § 3 first paragraph no. 7, take a position on whether the company should have internal audit.

If a company chooses to outsource the internal audit function, it must ensure that the requirements in § 5 are met.

§ 10 Independent Confirmation

The provision applies to companies that do not have internal audit. The purpose is for the board to receive an annual confirmation from an instance that does not itself participate in the company's internal control. The confirmation must be issued by the company's chosen auditor.

There is no requirement that the auditor confirm the quality of the company's risk assessments and documentation of procedures and control measures, but that such assessments have actually been made and that documentation exists. Regarding the last bullet point of the provision, the auditor must control that the routines the company has established for the implementation of the internal control process ensure that there is consistency between the risk assessments carried out in the line and the reporting that takes place to the board.

§ 11 Exceptions

The exception provision is continued even though it is rarely used. The Financial Supervisory Authority clarifies that a restrictive practice will be followed. It will not, for example, be possible to get an exception just because the company is small or newly established.

§ 12 Entry into Force

The Regulation applies from 1 January 2009. All requirements in the Regulation must be implemented at least once during 2009.

See Regulation on Risk Management and Internal Control (link to Lovdata)

Bjørn Skogstad Aamo

Anne Merethe Bellamy