Board Risk Committee Guide

Section 5: Sources of BRC Assurance | 195 The key attributes of such a sound system of risk management and internal controls are provided in Appendix 5C. Notwithstanding the level of adequacy and effectiveness, it is important to note that this provides only reasonable – but not absolute – assurance that a company will not be hindered in achieving its business objectives, or in the orderly and legitimate conduct of its business, by adverse circumstances which may reasonably be foreseen. 5.2.3 The BRC should consider the scope, approach, timing, and the party best placed to conduct the annual review. The BRC can request that the review be carried out internally or with the assistance of any competent third parties. In practice, the review is generally conducted by one or more of the following: • The company’s risk management function (or equivalent). • The internal audit function. • An external party. Where the review is conducted internally, the BRC should establish safeguards to ensure the independence of the approach and findings. The BRC should also consider the need for a periodic review by an independent third party, for example, once every two to three years. 5.2.4 During the review, the BRC should take into account all significant aspects of risks and internal controls that were dealt with (during the year under review, and up to the date of approval of the annual report and accounts) such as: • Changes (since the last review) in the nature and extent of significant risks, and the company’s ability to respond to changes in its business and the external environment. • Adequacy of measures in place to mitigate or reduce inherent risks to acceptable residual risks. 5C 5A-2