Improving strategic control and the control environment involves establishing high-level governance structures that set the "tone at the top" and oversee the organization's direction and risks.

An independent and expert Audit Committee (A) is a cornerstone of corporate governance. It provides oversight of financial reporting and internal controls, ensuring the integrity of information used for strategic decisions and enhancing the control environment.

A dedicated Risk Management Committee (C) directly implements strategic control by formally identifying, assessing, and monitoring strategic risks. This demonstrates a proactive approach to risk management, which is a critical component of a strong control environment and ensures the strategy's viability. Both are fundamental governance mechanisms, not day-to-day operational policies.

B. This is a specific, operational HR policy for cost control, not a high-level governance feature that shapes the overall strategic control or control environment.

D. This is a narrow operational directive that could create perverse incentives, leading to poor patient outcomes and reputational damage, thereby undermining strategic objectives.

E. This misuses the Head of Internal Audit in an operational approval role, which critically compromises their independence and weakens the overall governance structure.

1. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2013). Internal Control – Integrated Framework: Executive Summary. Page 5, Principle 2 states, "The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control." Both an independent Audit Committee (A) and a Risk Management Committee (C) are primary ways the board exercises this oversight.

2. Financial Reporting Council (FRC). (2018). The UK Corporate Governance Code. Section 4, Provision 24, requires the board to establish an audit committee of independent non-executive directors. Provision 25 states the board is responsible for determining the nature and extent of the principal risks it is willing to take, supporting the function of a Risk Management Committee (C).

3. Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521-531. This study highlights that board-level oversight and dedicated risk management functions are key drivers of effective Enterprise Risk Management (ERM), which is integral to strategic control. This directly supports the value of a Risk Management Committee (C). https://doi.org/10.1016/j.jaccpubpol.2005.10.001