Advice + Tax + Accounts for smart business owners.
November 20th 2020

Fundamentals of governance, risk and control

Corporate governance is the process by which companies (and other entities) are directed and controlled. Boards of directors are responsible for the governance of their companies; in charities, it is the trustees who are responsible.

The board’s responsibilities include setting the entity’s strategic aims; providing leadership to put those aims into effect; supervising the management team; and reporting to the shareholders (where applicable). The board’s actions are subject to laws, regulation, and the shareholders in general meeting.

Although governance is a topic that is frequently discussed in the context of large, listed companies, it is also of great relevance and importance to SMEs. So I highlight below some of the key principles, as applicable to smaller businesses and other entities.

The following points are largely drawn from the UK Corporate Governance Code, but with modification to make them more directly relevant to smaller entities.


  • an effective board which is collectively responsible for the success of the entity
  • clear division of responsibilities, including between executive and (where applicable) non-executive roles
  • chairman is responsible for the leadership and effectiveness of the board


  • board composition has an appropriate balance of skills, experience, independence, and knowledge
  • robust procedures for the appointment, induction, and re-election of directors
  • board to be supplied with the information it needs, on a timely basis, to enable it to operate properly
  • effective performance of the board and of the individual directors to be monitored and evaluated regularly


  • board to make fair assessments of the entity’s position and prospects
  • board is responsible for identifying the principle risks to the entity, associated with the overall strategy and objectives;
  • board oversees the operation of appropriate risk management and internal control activities (see below)


  • directors’ remuneration (where applicable) should be designed to promote the long-term success of the entity

Relations with shareholders

  • effective and open dialogue between the board and the shareholders / members / investors

More about risk management and internal controls

Risk management is basically good management discipline. What we are concerned with here - even in a small business context - is:

  1. identifying and evaluating things that could go wrong that might adversely impact your business ("risks");
  2. if you are concerned that those risks are unacceptable, deciding what you are going to do about it;
  3. your response to the risk may be to accept, avoid, share or transfer it; and/ or to mitigate it to an acceptable level; and
  4. using "internal controls" to mitigate the identified risks to an acceptable level

What sort of risks are we talking about here? Basically, anything that could go wrong that might have an adverse impact on the business, including the finances. We can think of business risks falling into internal and external categories:

  • internal risks - may include those relating to people, technology, physical and operational matters; and
  • external risks - may include those relating to economic, environmental and political matters

Pretty much all SMEs operate internal controls in some form or other, though most smaller businesses may not even be aware that they are doing so!

An internal control is basically a system (or systems) within an organisation that either prevents some adverse event from happening; or detects such an adverse event so that the management or directors can do something about it. The idea is to prevent, or reduce the impact, of events that would have an adverse effect on the entity, especially on the finances.

The principal types of internal control can be categorised using the well-known "SOAPSPAM" mnemonic:

  • Supervision – supervisory activities designed to make sure things are done correctly;
  • Organisation – having a clear and common understanding of how the organisation is structured, what the roles & responsibilities are;
  • Accounting & arithmetic – accounting activities designed to prevent or detect financial loss and ensure that financial reports present an accurate picture (like bank and other control account reconciliations, for example);
  • Physical – controls over the physical security of assets (like locking up buildings, or keeping cash in a safe);
  • Segregation – segregating duties between different individuals in order to reduce error and reduced the likelihood of fraud and misappropriation;
  • Personnel – the selection and training of personnel so that the people in the entity have the right culture and values, and perform their duties optimally;
  • Authorisation & approval – having clear delegated authorities in place and processes to ensure that decisions are made and executed only by those with the appropriate authority (like taking on a new customer, granting credit, ordering goods or paying a supplier);
  • Management – exercising effective management through appropriate planning, execution, monitoring, reporting and follow up activities.

If you’d like to discuss any of the matters in this blog, or find out how we can advise on the governance and control arrangements in your organisation, contact us today.


Let's talk

Book your free consultation now:

Preferred Method of Contact