Risk Management And Internal Control For Companies Listed On The Kuwait Stock Exchange

In accordance with the rules of corporate governance contained in the fifteenth book of the executive regulations of the law establishing the Capital Markets Authority and regulating the activity of securities, the board of directors of the company listed on the Kuwait Stock Exchange shall have the ability to understand and analyze the nature and size of the risks facing the company’s activities to reduce them as much as possible in addition to determining the appropriate procedures to deal with them. This includes identifying the internal or external factors that led or lead to the occurrence of such risks as well as developing ways to confront them, in light of the specific strategies and policies set in this regard, especially the company’s inclination to risk.

The sound management of risks shall have effective internal control systems that provide control over the integrity of the financial statements, the efficiency of the company’s business, and evaluate the extent of compliance with the controls.

The company’s organizational structure (approved by the Board of Directors) shall have an independent department / office / unit for risk management that basically works to measure, monitor and reduce all types of risks that face the company, in accordance with the following:

  1. That the company sets the effective systems and procedures for risk management, so as to be able to perform its main tasks of measuring and monitor all types of risks to which the company is exposed, provided that this process is carried out continuously and is reviewed periodically, and the systems and procedures are modified when needed.
  2. The company shall develop periodic reporting systems, as they are one of the important tools in monitoring risks and reducing their occurrence.
  3. Those in charge of the risk management / office / unit shall have independence through their direct subordination to the Risk Committee, as well as to having a large number of powers so as to carry out their tasks to the fullest without giving them financial powers and authorities or any powers or authorities that conflict with their supervisory role.
  4. The risk management office/ unit shall have qualified human cadres who have professional competencies and technical capabilities.
  5. Reviewing the deals and transactions proposed to be carried out by the company with relevant parties, and submitting appropriate recommendations in this regard to the Board of Directors.
  6. The Board of Directors shall form a committee called the Risk Management Committee, who shall not be less than three, provided that its chairman is a non-executive member of the Board of Directors. The chairman of the board of directors may not be a member of this committee, and the board of directors shall determine the term of membership of the committee members and its working method.

The following are the powers and duties of the committee as a minimum:

  1. Setting and reviewing risk management strategies and policies before they are approved by the Board of Directors, and ensuring the implementation of these strategies and policies, and that they are commensurate with the nature and size of the company’s activities.
  2. Ensuring the availability of adequate resources and systems to manage risks.
  3. Evaluating the systems and mechanisms for identifying, measuring, and following up on different types of risks that the company may be exposed to, so as to identify their deficiencies.
  4. Assisting the Board of Directors in determining and evaluating the acceptable level of risk in the company, and ensuring that the company does not overstep this level of risks after being approved by the Board of Directors.
  5. Reviewing the organizational structure of risk management and making recommendations in this regard before it is approved by the Board of Directors.
  6. Ensuring the independence of risk management staff from activities that expose the company to risks.
  7. Ensuring that the risk management staff have a full understanding of the risks that the company is exposed to and act to increase the employees’ awareness of the culture of risks.
  8. Preparing periodic reports on the nature of the risks to which the company is exposed, and submitting these reports to the company’s Board of Directors.
  9. Reviewing the issues raised by the relevant audit committee that may affect the company’s risk management.
  10. The Risk Management Committee shall hold periodic meetings, at least four times a year, as well as where necessary, and it shall take the minutes of its meetings.

The company shall have internal control and monitoring systems for all the company’s activities, as the internal control systems work to preserve the company’s financial integrity, the accuracy of its data and the efficiency of its operations from various aspects, provided that the company’s organizational structure takes into account the principles of internal control of the dual control process (Four Eyes principles), which are as follows:

  1. Correct identification of authorities and responsibilities.
  2. Complete separation of duties and no conflict of interest.
  3. Dual inspection and control.
  4. Dual signature.

The company shall establish an internal audit department/office/unit that has complete technical independence, in accordance with the following:

  1. The audit committee, and by extension, the Board of Directors.
  2. That the director of the internal audit department / office / unit shall be appointed directly by the Board of Directors and based on the nomination of the Audit Committee.
  3. That the Board of Directors shall identify the tasks and responsibilities of the internal audit department / office / unit.

The internal audit department / office / unit shall prepare a report that includes a review and assessment of the internal control systems applied in the company, provided that the report includes the following:

  1. Procedures for controlling and supervising the efficiency and effectiveness of the internal control systems that are necessary to protect the company’s assets, the integrity of the financial statements, and the efficiency of its operations in their administrative, financial and accounting aspects.
  2. Comparing the development of risk factors in the company and the existing systems to assess the efficiency of the company’s daily business, and to face unexpected changes in the market.
  3. Evaluating the performance of the executive management in applying internal control systems.
  4. The reasons for the failure to apply internal control, weaknesses in its application, emergency situations that affected or may affect the financial performance of the company, and the procedure that the company has taken in addressing the failure to implement internal control.

An independent audit office shall be assigned to evaluate and review the internal control systems and prepare a report in this regard (Internal Control Report), which is submitted to the Authority on an annual basis. Another audit office shall review and evaluate the performance of the internal audit department / office / unit periodically every three years, provided that a copy of this report shall be submitted to the Internal Audit Committee and the Board of Directors.

If you are looking for a Kuwaiti law firm that specializes in providing legal services to the securities, capital and stock market activities, you can count on us at Taqneen, Law Firm and Legal Consultations.

To book an appointment or request legal advice about the duties of securities companies in the optimal implementation of clients’ orders, we are pleased to receive your inquiries at (info@Taqneen.com).