Board Risk Committee Guide

194 | Board Risk Committee Guide 5.2 Adequacy and Effectiveness Review 5.2.1 Reviewing the adequacy and effectiveness of risk management and internal control systems is an essential part of the Board’s responsibilities. The Board will need to form its own view on the adequacy and effectiveness after due and careful enquiry based on the information and assurances provided to it. When the BRC is responsible for overseeing the overall risk management and internal control systems, it should review, at least annually, the adequacy and effectiveness of the systems, including the financial, operational, compliance and information technology risks. Effective monitoring on a continuous basis is an essential component of a sound system of risk management and internal controls. Therefore, the Board and the BRC should regularly receive and review reports on risk and internal controls. They cannot rely solely on the embedded monitoring processes within the company to discharge their responsibilities. 5.2.2 BRC members should first agree on what “adequacy” and “effectiveness” mean and entail in the context of risk management of the company: • “Adequacy” means the risk management and internal control systems are designed appropriately. • “Effectiveness” means the risk management and internal control systems are operating as intended. Adequate and effective risk management and internal control systems therefore mean that the system is well-designed, and is working as intended. Risk management and internal control systems are also considered adequate and effective if they provide reasonable assurance for the management of a company’s risks, the safeguarding of its assets, the reliability of financial information, and the compliance with laws and regulations. 5A-1