Corporate Governance:Beyond Compliance at a time of Recession Prof. Ashley G. Frank BA(Econ)[Magna Cum Laude], MDPA (Cum Laude], MBA, MCom [Cum Laude], DCom
Codes, guidelines and initiatives of corporate governance introduced risk and control elements into various functional areas • Firms have entered recession with compliance, legal, internal audit and enterprise risk management functions of considerable size and scope • However often no singular cross-functional definition of what “risk” or “compliance” means. • Recession must focus concerns over increased expenses and duplication of activities
For Internal Auditors governance, risk and compliance: - risk to independence or - lead (advice on process requirements) and participate in the processes themselves • ISPPIA (Standard 2110): “assess and make recommendations for improving governance processes” • Status within organization determines how auditors deploy and manage dual roles: - primary driver or advise other functional areas driving the process
Clarity of objectives and goals key to governance, risk and compliance processes • Are solutions being sought in keeping with organization’s goals, culture and stakeholder expectations? • Common definition of issue significance and station for tracking & reporting • Efficiencies through leveraging of common processes and increased knowledge sharing across functions • Consistent view of an organization’s risk and prioritize issues requiring management attention.
But integrating governance, risk and compliance may be detrimental to individual risk and control units, thus: Thus: integration objectives must be clear • Adopt a strategic framework • Ask: How does integration help achieve the framework’s mission? Goal: Integration of common processes and alignment of focus Not: Added competition/distraction from units already exist or creation of new infrastructure.
Middle Bottom Overall policy and risk appetite set by Board and Executive Management Strategic Top Value Creation & Preservation • Policy establishes: • - Role of each function • Common goal of managing organization’s risks • Expectation of working relationships and knowledge sharing Enterprise Risk Policy & Appetite Legal / Internal Audit / Compliance / Safety / IT / Finance King III Each risk and control function continues to execute its unique role as a part of a fully integrated effort with a common goal to manage the organization's risks A Strategic Framework for Corporate Governance Risk Assessment Emerging Risk Identification Risk/Control Monitoring (Key Risk Indicators) Identify and leverage common processes, technologies and knowledge
(1) Working team from functions which should participate - establishes common understanding of “integration”, goals and internal vision, e.g.: agree common risk management concept maintain independence/objectivity of each function rationalize and harmonize approaches share information cross-functionally (2) Discuss internal vision with executive management and board (or audit committee) present both benefits and potential pitfalls! test against Strategic Framework
(3) Consider areas where initial opportunities for improvement exist Usually among processes involving communications, knowledge-sharing, scheduling or risk assessments. (4) Detail plans to tackle inceptive projects Consider resourcing needs as well as mechanisms for feedback (5) Develop an overall risk management policy Include legal/technical/corporate governance aspects What is the organization’s “risk-appetite”? (6) Establish success factors and measurement points Ensure feedback mechanism allows lessons to be learned
(7) Iterative process for further working group sessions Develop a final vision and organization specific goals. (8) Finalize Board’s risk policy Use working group reassessment outputs Is the current policy still valid or does a new one have to be developed? (9) Gain Board’s (or audit committee) formal approval Internal auditors to provide assurance on both design and implementation of audit plan. (10) Execute!