Corporate Governance: Beyond Compliance at a time of Recession

Prof. Ashley G. Frank

BA(Econ)[Magna Cum Laude], MDPA (Cum Laude], MBA, MCom [Cum Laude], DCom

 Codes, guidelines and initiatives of corporate governance introduced risk and control elements into various functional areas Firms have entered recession with compliance, legal, internal audit and enterprise risk management functions of considerable size and scope However often no singular cross-functional definition of what risk or compliance means. Recession must focus concerns over increased expenses and duplication of activities

 For Internal Auditors governance, risk and compliance: - risk to independence or - lead (advice on process requirements) and participate in the processes themselves ISPPIA (Standard 2110): assess and make recommendations for improving governance processes Status within organization determines how auditors deploy and manage dual roles: - primary driver or advise other functional areas driving the process

 Clarity of objectives and goals key to governance, risk and compliance processes Are solutions being sought in keeping with organizations goals, culture and stakeholder expectations? Common definition of issue significance and station for tracking & reporting Efficiencies through leveraging of common processes and increased knowledge sharing across functions Consistent view of an organizations risk and prioritize issues requiring management attention.

 But integrating governance, risk and compliance may be detrimental to individual risk and control units, thus: Thus: integration objectives must be clear (1) Adopt a strategic framework (2) Ask: How does integration help achieve the frameworks mission? Goal: Integration of common processes and alignment of focus Not: Added competition/distraction from units already exist or creation of new infrastructure.

A Strategic Framework for Corporate Governance

Strategic Top

Overall policy and risk appetite set by Board and Executive Management

Value Creation & Preservation

Each risk and control function continues to execute its unique role as a part of a fully integrated effort with a common goal to manage the organization's risks

Enterprise Risk Policy & Appetite Legal / Internal Audit / Compliance / Safety / IT / Finance King III

Policy establishes: - Role of each function -Common goal of managing organizations risks -Expectation of working relationships and knowledge sharing

Middle

Identify and leverage common processes, technologies and knowledge

Risk Assessment Emerging Risk Identification Risk/Control Monitoring (Key Risk Indicators)

Bottom

(1) Working team from functions which should participate

- establishes common understanding of integration, goals and internal vision, e.g.: agree common risk management concept maintain independence/objectivity of each function rationalize and harmonize approaches share information cross-functionally

(2) Discuss internal vision with executive management and board (or audit committee)
present both benefits and potential pitfalls! test against Strategic Framework

(3) Consider areas where initial opportunities for improvement exist

Usually among processes involving communications, knowledge-sharing, scheduling or risk assessments.

(4) Detail plans to tackle inceptive projects

Consider resourcing needs as well as mechanisms for feedback

(5) Develop an overall risk management policy

Include legal/technical/corporate governance aspects What is the organizations risk-appetite?

(6) Establish success factors and measurement points

Ensure feedback mechanism allows lessons to be learned

(7) Iterative process for further working group sessions

Develop a final vision and organization specific goals.

(8) Finalize Boards risk policy

Use working group reassessment outputs Is the current policy still valid or does a new one have to be developed?

(9) Gain Boards (or audit committee) formal approval

Internal auditors to provide assurance on both design and implementation of audit plan.

(10) Execute!