Chapter 3 Governance

GOVERNANCE

1

CHAPTER 3

Chapter 3 Learning Objectives2

Define governance and contrast the different roles and responsibilities within governance.

Articulate the different enterprise-wide governance principles.

Describe the changes in regulations and how governance has evolved to its present state.

Describe the role of the internal audit function in the governance process.

Know where to find information about governance codes and regulations from countries around the world.

Exhibit 3-2

Internal Auditing: Assurance and Consulting Services, 2nd

3

Governance (from book)

Internal Auditing: Assurance and Consulting Services, 2nd Edition © 2009 by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

4

The combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization towards the achievement of its objectives.

Key Points


5

Not distinct and separate processes and structures – interrelationships between governance, risk, and controls

Must consider risk when setting strategyMust rely on internal controls and

communication

OECD Corporate Governance Principles


6

First released in May 1999 and revised in 2004, the OECD Principles are one of the 12 key standards for international financial stability of the Financial Stability Forum (FSF) and form the basis for the corporate governance component of the Report on the Observance of Standards and Codes of the World Bank Group.

OECD Definition7

Corporate governance involves a set of relationships between a company’s management, its board, its shareholders, and other stakeholders.

Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.

According to Cadbury Report,8

Corporate Governance is “the system by which companies are directed and controlled

Good corporate governance allows boards of

directors to be “free to drive their companies forward”, but exercise that freedom within a framework of effective accountability.

According to Wikipidi9

Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Corporate governance also includes the relationships among the many stakeholders involved and the goals for which the corporation is governed. The principal stakeholders are the shareholders, management, and the board of directors. Other stakeholders include employees, customers, creditors, suppliers, regulators, and the community at large.

Codes from around the world10

http://www.ecgi.org/codes/all_codes.php

Bangladesh


11

I. Mission of the Board of Directors Principle:

The Board of Directors should lead and oversee strategy and policy of the company and provide direction to the management. Board actions should be in the best interests of the company and shareholders.

Brazil


12

Corporate Governance is a corporate managing and monitoring system, involving relations with the Owners, Board of Directors, Officers, Independent Auditors, and Fiscal Council. Good corporate governance practices are geared to add value to a company, facilitate its access to capital and contribute to its perpetuation.

Exhibit 3-313

Some Video Clips


14

http://www.youtube.com/watch?v=KXd70r75V2whttp://www.youtube.com/watch?v=awUgAYks-Y8http://www.youtube.com/watch?v=wYtN-8st9xshttp://www.youtube.com/watch?v=ra-Sxjjv3-ghttp://www.youtube.com/watch?v=1jV0AUjx6Ik

Strategy


15

How management plans to achieve the organization’s objectives Key Business Objectives Stakeholder Expectations Performance Measures Risk Appetite

Exhibit 3-416


17

Roles and Responsibilities within Governance

Knowledge Check18

Which of the following represents the best governance structure? Operating Mgmt Executive Mgmt Internal Auditing a. Responsibility for Risk Oversight role Advisory role b. Oversight Role Responsibility for Risk Advisory Role c. Responsibility for Risk Advisory Role Oversight Role d. Oversight role Advisory Role Responsibility for

Risk

Board


19

Governance begins with the BoardBoard provides directionBoard is accountable to stakeholdersGovernance is executed by managementInternal and external activities provide

management and the board with assurance regarding effectiveness of governance

Stakeholders


20

Directly Involved – Employees, Customers, Vendors

Interested – InvestorsInfluence – Regulatory agencies, Rating

Agencies,

How does the Board enact good governance?

21

Governance CommitteeDetermine desired outcomesDetermine unacceptable outcomesArticulate RequirementsSet Risk AppetiteDelegate authorityEstablish reporting thresholdReevaluate periodically

One Big Four’s List of Board “HOT TOPICS” in Governance for 2011


22

Risk Management – where everyone minds the business Sustainable Development – the next transforming wave of change Strategy Development – the board as hands-on strategy leader Strategy Execution – Linking performance to strategy Corporate Planning – past results do not ensure future performance Shareholder engagement – the conversations are two-way Board evaluations – the best Boards have regular performance

checks Boardroom efficiency – do the right things better Director education – never stop learning Succession planning – the long and short of talent development Regulatory change – anticipating change for competitive advantage

Spencer Stuart – 5 Things Boards Should be Looking at


23

Board EffectivenessStrategyRisk OversightSustainabilitySuccession

http://www.spencerstuart.com/research/articles/1475

You Get What You Measure24

Measures are critical to such governanceMeasure the wrong things and results can be

disastrous. Measure the right ones—aligned with the strategic

plan and related business objectives—and managers are motivated and work together toward achieving corporate goals.

Identifying what drives value and then linking those drivers to measurements

25

Governance Maturity Model

Key Questions Directors Should be Asking26




30

Eight Priorities for 2013 (from the IIA)31

Crisis ManagementFraud and EthicsRegulatory ComplianceSocial MediaEmployee Talent ManagementEmerging TechnologiesERMGlobalization and Geopolitical Risks

Setting the Risk AppetiteDefining Risk Tolerance

32

Risk Appetite: The amount of risk, on a broad level, an organization is willing to accept in pursuit of its business objectives

Risk Tolerance: The acceptable levels of risk size and variation relative to the achievement of objectives, which must alight with the risk appetite of the organization.

How to set Risk Appetite?33

Determine stakeholdersDetermine needs and expectations of

stakeholdersIdentify potential outcomes that would be

unacceptable to stakeholders (harm and missed opportunities)

Consider outcomes in Financial, Compliance, Operational, and Strategic areas

Set tolerance levels/boundaries within which management should run organization

Cool video on the need to link risk and strategy


34

http://www.youtube.com/watch?v=qI0b4YZBp4k

How does management enact good governance?


35

Understanding the Board’s expectations, directions, risk appetite, and delegated authority

A process to identify, manage, and report on risks

Process to delegate authority to risk holdersGathering information to report on risks for

decision making and for Board

How does management enact governance responsibilities?


36

Establish a risk committee to identify risks, linked to management activities, and assigned to risk owners

Evaluate on-going risk appetite and ensure tolerance levels are consistent with risk appetite

Articulate reporting requirements – nature, format, timing of communication

Reevaluate governance expectations periodically

Knowledge Check


37

Which of the following are typical governance responsibilities of senior management?

I. Establishing a governance committee of the boardII. Delegating risk tolerance levels to risk managersIII.Monitoring day-to-day performance of specific risk management

activitiesIV.Ensuring that sufficient information is gathered to support reporting

to the board. II and III I, II, and IV II and IV I, II, III, and IV

What do Risk Owners Do?


38

Day to day responsibility for ensuring that risk management activities effectively manage risks within the organization’s risk appetite.

Keep risks within tolerable boundariesIdentify, measure, manage, monitor, and

report on their risksFront line of managing risks – key

contributors to good governance

Risk Owner Activities


39

Assessment of risks in terms of inherent nature of risk, source of risk, potential impact, proposed tolerance level, expected risk management activities.

Reevaluate risk management activities periodically

Assess risk management capabilitiesMonitor risk management activitiesReport risk management activities

Exhibit 3-640

Assurance Activities


41

An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization

Can be by external or internal parties; most commonly by internal audit function

The Board's Oversight Role


42

A board is not responsible for devising either measures or the measurement process. That's management's job. But it is responsible for ensuring that management has instituted meaningful measures to enable management to track and monitor performance and take swift corrective action where needed.

Continued

43

The board needs to know that it is getting the right information, on a timely basis, with management's analysis of where issues lie and what management plans to do.

Ultimately, the board needs to know that a process is firmly in place to provide the information they need to conduct meaningful oversight and assess progress toward effective strategy implementation and achievement of stated goals.

44

Internal Audit’s Role

Exhibit 3-145

2010 – Planning46

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals

Interpretation: The chief audit executive is responsible for developing a

risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

2100 – Nature of Work


47

The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

2100 - Nature of Internal Audit’s Work48

Help assess and improve governance by:Promoting appropriate ethics and valuesEnsuring effective performance management

and accountabilityEffectively communicating risk and control

informationEffectively coordinating the activities and

communicating information

2110 – Governance49

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:Promoting appropriate ethics and values within the organization;Ensuring effective organizational performance management and accountability;Communicating risk and control information to appropriate areas of the organization; andCoordinating the activities of and communicating information among the board, external and internal auditors, and management.

Implementation Standards under 211050

2110.A1- The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives.

IA Activities to evaluate governance51

Ensure it understands Board’s governance direction and expectations, including its expectation of IA

Support management’s risk management program Involvement in risk management program Education Risk assessments “oversight” and input to risk decisions

Develop an IA plan that encompasses governance

Continued52

Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness.

Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness.

Continued….


53

Evaluating whether risk tolerance information is communicated timely and effectively from both the board to senior management and from senior management to the risk owners.

Assessing whether there are any other risk areas that are currently not included in the governance process, but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).

Other Roles of Internal Auditing in Governance

54

Board Risks, Controls, and PracticesAudit specific documented governance processesProvide assurance on ways to improve

governance processes if they are not matureContribute to governance structures through

auditsAct as facilitators, assisting board in self-

assessment of governance activitiesObserve and formally assess GRC structural

design and operational effectiveness

IA’s Activities to Evaluate Governance55

Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes.

Testing and evaluating whether the various risk management activities are operating as designed.

Aspects of Ethics Audits56

A "clear and understandable" formal code of conduct and related statements, policies--including procedures covering fraud and corruption--and other "expressions of aspiration."

The communications and demonstrations of expected ethical attitudes and behavior by the leaders of the organization.

Explicit strategies the firm uses to enhance its ethical culture.

Multiple means of confidentially reporting misconduct.

Continued57

Regular declarations by employees, suppliers, and customers that they understand the requirements for ethical behavior in conducting the organization's business.

Clear delegation of responsibilities to ensure that ethical consequences are evaluated, that confidential counseling is provided, that allegations of misconduct are investigated, and that case findings are properly reported.

Easy access to "learning opportunities to enable all employees to be ethics advocates."

Continued58

Personnel practices that encourage employees to be ethical.

Regular use of surveys to determine the organization's ethical climate.

Regular reviews of processes that might undermine the organization's ethical culture.

Regular reference and background checks as part of the hiring process.

Chapter 3 Governance

Documents

chief audit

internal audit

internal audit

key questions

risk management

risk appetite

corporate

internal auditing