My Governance, Risk, and Assurance Wish List for 2012Norman Marks,
CPA, is vice president for SAP and has been a CAE at major global
coprorations over the past 15 years.
Many if not most of the items on my wish list are aspirational at
best. They cover multiple areas, all coming together around my general
theme of better run organizations. They include aspects of governance,
risk management, internal audit, information, and performance
management.
I welcome your thoughts on these — which do you agree with, which do
you dislike, and overall how crazy am I?
1. A globally-accepted organizational governance code, encompassing
both risk management and internal control — although more detailed
codes are required for both (see below). We may also need variations
for different types of entities: public for-profits, not-for-profits,
private companies, governments, etc. When I say "globally-accepted," I
mean accepted by the regulators around the world and mandated by them.
2. The convergence of the COSO ERM Framework and the global ISO
31000:2009 risk management standard. The overall product (including
related guidance) has to:
a. Be simple and easy to understand and use
b. Provide guidance for the initial implementation of risk management
c. Establish a vision for mature risk management
d. Help you progress from initial to mature risk management maturity
e. Support an evaluation of the effectiveness of risk management
f. Guide the embedding of risk management into daily business
processes and decision-making, instead of being a separate process (or
more realistically set of processes)
g. Emphasize the importance of the organizational culture and
attitude towards risk and performance (must be both), and provide
guidance on how to measure and them improve the culture as needed
h. Explain the relationship between risk management and
strategy-setting processes
i. Explain the relationship between risk management and performance
management, including the ability to show risk-adjusted performance
measures, forecasts, etc.
j. Guide the oversight of risk management by the governing body
(usually the board of directors)
k. Explain the relationship between the global governance framework
(above) and an internal controls framework (see below)
l. Address the management of uncertainty with respect to
opportunities — the upside of risk
m. Address the need for the evaluation of risk to take into account
the opportunity for reward. Many if not most decisions are not
one-sided: the alternatives offer both upside and downside potential
at the same time. For example, (adverse) risks related to a new
product need to be considered together with the potential for revenue
and profit. Both negative and positive effects have likelihood and
impact. The guidance needs to explain how to consider the total
picture, not just the downside
n. Discuss how different risk processes around the organization are
brought together in an enterprise-wide program. Discuss the need for
specialized processes for certain risk areas, such as commodity price
and currency fluctuation risk, IT vulnerability, etc, where not only
specialized knowledge may be required but sophisticated models as
well. Explain how to integrate risk assessment and evaluation when
some risk areas are measured using likelihood and others using
frequency.
o. Be accepted globally by all interested parties: enterprise risk
management practitioners, insurance and safety managers, auditors and
assurance professionals, governance experts and board members,
operational managers, etc.
3. An update of the COSO Internal Control Framework that recognizes
that internal controls are the organization’s response to uncertainty
(i.e., risk), and you need the controls to ensure the likelihood and
effects of uncertainty are within organizational tolerances.
4. Agreement (maybe as part of #2) on the meaning of ‘risk appetite’,
‘risk tolerance’, ‘risk attitude’, ‘risk criteria’, and related terms.
All of this as part of guidance that explains how you can set guidance
on risk-taking that works not only for (a) the board and top
management (who want to set overall limits), but also for (b) the
people on the front lines who are the ones actually making decisions,
accepting risks, and taking actions to manage the risks. The guidance
also has to explain the need to measure and report on whether the
actions taken on the front lines aggregate to levels within
organizational tolerances.
5. A change to the opinion provided by the external auditors, from
one focusing on compliance with GAAP to one focusing on whether the
financial reports filed with the regulators provide a true and fair
view of the results of operations, the condition of the organization,
and the outlook for the future. Note that I don’t expect the auditors
to have an opinion on the outlook, only that management has followed a
reasonable process, including the identification and evaluation of
risks.
6. The inclusion in the reports filed with the regulators of:
a. An opinion by management on the effectiveness of the
enterprise-wide risk management program. This could be based on the
assessment of the internal audit function.
b. An opinion by the board that the compensation consultants (and
other experts whose guidance was relied on during the year) are
independent and free of inappropriate influence by management.
c. An assessment by the chair of the board, on behalf of the full
board, of the effectiveness of organizational governance based on the
governance code. A periodic independent assessment should be made
(either by a third party or by the internal audit function).
7. A change in attitude of investor groups, focusing on longer-term
value instead of short-term results. In particular, they should be
more active when it comes to director and executive compensation.
8. The investors being required to approve, at the annual general
meeting, the director and executive compensation programs for the next
year.
9. The SEC withdrawing the proposal to mandate auditor rotation. If
the audit committee is effective, this is not required. I believe it
will result in an adverse change to the quality of the external audit
and the cost to the organization.
10. Changes in the IIA’s standards for the professional practice of
internal auditing, including:
a. A move to a principles-based set of standards, mandating that
audit engagements should be prioritized based on the risk to the
organization and the value provided by an internal audit project. The
mandate to perform audits of specific areas (such as the code of
ethics and IT governance) must be removed, replaced by guidance that
these areas be given strong consideration in developing the audit plan
b. The clarification that assurance is only effectively provided when
there is a formal assessment and opinion provided to the stakeholders.
The chief internal auditor (CAE) should provide a formal assessment of
governance, risk management, and related internal control processes to
the board and top management at least once a year
c. Consideration of the need to provide timely assurance. The
business can no longer afford to wait weeks or months to obtain
internal audit’s assessment
d. The need to have a more continuous audit risk assessment and
planning process than annual. Internal audit should have a program
where it is addressing the risk areas of today and the future, not
what used to be a risk area
11. An improved understanding by the board and top management of the
value of internal audit as a provider of assurance relative to
governance, risk management, and related internal control processes.
Internal audit should not have to step in and perform management
functions (such as the identification of duplicate payments or invalid
transactions, the audit of contractors, or fraud detection and
investigation) to prove its value.
12. Finally, while I would like to see the term "GRC" disappear, I am
going to be somewhat realistic and only wish for a shared
understanding of what it means — and that meaning is the one used by
OCEG, summarized as "establishing and reliably achieving objectives,
considering risk, and remaining in compliance."
Do you like these 12? Which do you disagree with, or would modify?
What are your top wishes for 2012 (and beyond)?
Posted on Dec 20, 2011 by Norman Marks
--
CA Ramachandran Mahadevan,M.Com.,F.C.A.,
CPA, is vice president for SAP and has been a CAE at major global
coprorations over the past 15 years.
Many if not most of the items on my wish list are aspirational at
best. They cover multiple areas, all coming together around my general
theme of better run organizations. They include aspects of governance,
risk management, internal audit, information, and performance
management.
I welcome your thoughts on these — which do you agree with, which do
you dislike, and overall how crazy am I?
1. A globally-accepted organizational governance code, encompassing
both risk management and internal control — although more detailed
codes are required for both (see below). We may also need variations
for different types of entities: public for-profits, not-for-profits,
private companies, governments, etc. When I say "globally-accepted," I
mean accepted by the regulators around the world and mandated by them.
2. The convergence of the COSO ERM Framework and the global ISO
31000:2009 risk management standard. The overall product (including
related guidance) has to:
a. Be simple and easy to understand and use
b. Provide guidance for the initial implementation of risk management
c. Establish a vision for mature risk management
d. Help you progress from initial to mature risk management maturity
e. Support an evaluation of the effectiveness of risk management
f. Guide the embedding of risk management into daily business
processes and decision-making, instead of being a separate process (or
more realistically set of processes)
g. Emphasize the importance of the organizational culture and
attitude towards risk and performance (must be both), and provide
guidance on how to measure and them improve the culture as needed
h. Explain the relationship between risk management and
strategy-setting processes
i. Explain the relationship between risk management and performance
management, including the ability to show risk-adjusted performance
measures, forecasts, etc.
j. Guide the oversight of risk management by the governing body
(usually the board of directors)
k. Explain the relationship between the global governance framework
(above) and an internal controls framework (see below)
l. Address the management of uncertainty with respect to
opportunities — the upside of risk
m. Address the need for the evaluation of risk to take into account
the opportunity for reward. Many if not most decisions are not
one-sided: the alternatives offer both upside and downside potential
at the same time. For example, (adverse) risks related to a new
product need to be considered together with the potential for revenue
and profit. Both negative and positive effects have likelihood and
impact. The guidance needs to explain how to consider the total
picture, not just the downside
n. Discuss how different risk processes around the organization are
brought together in an enterprise-wide program. Discuss the need for
specialized processes for certain risk areas, such as commodity price
and currency fluctuation risk, IT vulnerability, etc, where not only
specialized knowledge may be required but sophisticated models as
well. Explain how to integrate risk assessment and evaluation when
some risk areas are measured using likelihood and others using
frequency.
o. Be accepted globally by all interested parties: enterprise risk
management practitioners, insurance and safety managers, auditors and
assurance professionals, governance experts and board members,
operational managers, etc.
3. An update of the COSO Internal Control Framework that recognizes
that internal controls are the organization’s response to uncertainty
(i.e., risk), and you need the controls to ensure the likelihood and
effects of uncertainty are within organizational tolerances.
4. Agreement (maybe as part of #2) on the meaning of ‘risk appetite’,
‘risk tolerance’, ‘risk attitude’, ‘risk criteria’, and related terms.
All of this as part of guidance that explains how you can set guidance
on risk-taking that works not only for (a) the board and top
management (who want to set overall limits), but also for (b) the
people on the front lines who are the ones actually making decisions,
accepting risks, and taking actions to manage the risks. The guidance
also has to explain the need to measure and report on whether the
actions taken on the front lines aggregate to levels within
organizational tolerances.
5. A change to the opinion provided by the external auditors, from
one focusing on compliance with GAAP to one focusing on whether the
financial reports filed with the regulators provide a true and fair
view of the results of operations, the condition of the organization,
and the outlook for the future. Note that I don’t expect the auditors
to have an opinion on the outlook, only that management has followed a
reasonable process, including the identification and evaluation of
risks.
6. The inclusion in the reports filed with the regulators of:
a. An opinion by management on the effectiveness of the
enterprise-wide risk management program. This could be based on the
assessment of the internal audit function.
b. An opinion by the board that the compensation consultants (and
other experts whose guidance was relied on during the year) are
independent and free of inappropriate influence by management.
c. An assessment by the chair of the board, on behalf of the full
board, of the effectiveness of organizational governance based on the
governance code. A periodic independent assessment should be made
(either by a third party or by the internal audit function).
7. A change in attitude of investor groups, focusing on longer-term
value instead of short-term results. In particular, they should be
more active when it comes to director and executive compensation.
8. The investors being required to approve, at the annual general
meeting, the director and executive compensation programs for the next
year.
9. The SEC withdrawing the proposal to mandate auditor rotation. If
the audit committee is effective, this is not required. I believe it
will result in an adverse change to the quality of the external audit
and the cost to the organization.
10. Changes in the IIA’s standards for the professional practice of
internal auditing, including:
a. A move to a principles-based set of standards, mandating that
audit engagements should be prioritized based on the risk to the
organization and the value provided by an internal audit project. The
mandate to perform audits of specific areas (such as the code of
ethics and IT governance) must be removed, replaced by guidance that
these areas be given strong consideration in developing the audit plan
b. The clarification that assurance is only effectively provided when
there is a formal assessment and opinion provided to the stakeholders.
The chief internal auditor (CAE) should provide a formal assessment of
governance, risk management, and related internal control processes to
the board and top management at least once a year
c. Consideration of the need to provide timely assurance. The
business can no longer afford to wait weeks or months to obtain
internal audit’s assessment
d. The need to have a more continuous audit risk assessment and
planning process than annual. Internal audit should have a program
where it is addressing the risk areas of today and the future, not
what used to be a risk area
11. An improved understanding by the board and top management of the
value of internal audit as a provider of assurance relative to
governance, risk management, and related internal control processes.
Internal audit should not have to step in and perform management
functions (such as the identification of duplicate payments or invalid
transactions, the audit of contractors, or fraud detection and
investigation) to prove its value.
12. Finally, while I would like to see the term "GRC" disappear, I am
going to be somewhat realistic and only wish for a shared
understanding of what it means — and that meaning is the one used by
OCEG, summarized as "establishing and reliably achieving objectives,
considering risk, and remaining in compliance."
Do you like these 12? Which do you disagree with, or would modify?
What are your top wishes for 2012 (and beyond)?
Posted on Dec 20, 2011 by Norman Marks
--
CA Ramachandran Mahadevan,M.Com.,F.C.A.,
No comments:
Post a Comment