Mr. Seamus McCarthy:

Part of the code of governance is a requirement for an annual review of the effectiveness of the controls in the organisation. One of the things that should be reviewed in that exercise is the risk management system. It should be annually considered outside of the risk assessment process itself. There should be an exercise. Very often this is done by internal audit. This would be looking at whether the risk register is working for the organisation. There is also a requirement on a cyclical basis for an external review of risk management at least once every three years.