what auditors need to know about emerging risk oversight expectations€¦ · ·...
TRANSCRIPT
What Auditors Need to Know About Emerging Risk Oversight Expectations
Tim Leech FCA CIA CCCSA CFE
Managing Director Global Services, Risk Oversight Inc.
www.twitter.com/riskoversight
© Risk Oversight Inc.
2
Agenda
• Risk Oversight (“RO”) – what is it?
• Why has it suddenly become important?
• What do the new disclosure rules require?
• What should the Board want?
• How have companies responded?
• Attributes of “excellent” RO disclosures
• What’s the downside if you don’t do a good job?
• What’s Internal Audit’s role?
• What’s the role of risk specialist groups?
• Questions
© Risk Oversight Inc.
3
There is no generally accepted definition - yet
Risk
Definition: Effect of uncertainty on objectives
(Source: ISO Guide 73 Risk Management - Vocabulary)
o·ver·sight/�ōvər�sīt/Noun – TRICKY DUAL MEANING!!!!!!!
– 1. An unintentional failure to notice or do something.
– 2. The action of overseeing something.
Risk o·ver·sight – the action of overseeing the effect of uncertainty
on objectives not unintentionally failing to see big risks that could
kill the organization. (Tim’s definition, no authoritative support)
Risk Oversight: What is it?
© Risk Oversight Inc.
4
Enterprise risk management is a process, effected by the entity’s board
of directors, management, and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within the risk appetite,
to provide reasonable assurance regarding the achievement of objectives Source: COSO’s Enterprise Risk Management – Integrated Framework (2004)
Per COSO ERM 2004 Boards of Directors should
oversee the ERM process and define their “risk
appetite”.
(NOTE: Unfortunately COSO 2012 ED issued Dec 2011 doesn’t appear to put much
emphasis on the critical importance of effective board oversight of management’s
risk appetite/tolerance)
Risk Oversight: What is it?
© Risk Oversight Inc.
5
Risk Oversight: Reverse Engineered
While risk oversight objectives may vary from company to company, every
board should be certain that:
• the risk appetite implicit in the company’s business model, strategy, and
execution is appropriate
• the expected risks are commensurate with the expected rewards
continued…
Source: NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward
Risk Oversight: What is it?
© Risk Oversight Inc.
6
While risk oversight objectives may vary from company to company, every
board should be certain that:
•management has implemented a system to manage, monitor, and mitigate
risk, and that system is appropriate given the company’s business model and
strategy
•the risk management system informs the board of the major risks facing the
company
•an appropriate culture of risk-awareness exists throughout the organization
•there is recognition that management of risk is essential to the successful
execution of the company’s strategy
Source: NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward
Risk Oversight: What is it?
© Risk Oversight Inc.
7
Per COSO 2012 ED – still a “control-centric”
view
The board should be kept appraised of the risks to the achievement of
the entity’s objectives, evaluations of control deficiencies, actions
management is taking to mitigate such deficiencies, and how
management determines that the entity’s internal control system
remains effective.
COSO 2012 ED proposes a relatively passive role for the board. There
is no reference in the ED principles section to the critical role the board
should/must play overseeing that risk is being managed within the
organization’s risk appetite and tolerance. COSO 2012 is not aligned
with the NACD Blue Ribbon principles or emerging regulatory
expectations related to board oversight of risk.(Source: Internal Control –Integrated Framework, Executive Summary, December 2011, COSO page 10)
Risk Oversight: What is it?
© Risk Oversight Inc.
8
Per the CICA in Canada:The CICA exposure draft on board oversight of risk was
issued in Dec 2010. Comments were due March 31, 2011.
The CICA has not announced when or if the final guidance
will be issued.
Many of those commenting on the CICA board risk
oversight ED raised serious concerns with it.
What we do know is the authors of the CICA guidance
didn’t see IA playing a significant role supporting boards
with their risk oversight duties. IIA Canada filed a response
objecting to this position. Time will tell if the CICA
listened.
Risk Oversight: What is it?
© Risk Oversight Inc.
9
REASON #1 – The Global Financial Crisis:
Deficient Risk Management/Oversight a Root Cause
• the failure of some boards of directors and senior managers to establish,
measure, and adhere to a level of risk acceptable to the firm;
• compensation programs that conflicted with the control objectives of the
firm;
• inadequate and often fragmented technological infrastructures that
hindered effective risk identification and measurement; and
• institutional arrangements that conferred status and influence on risk takers
at the expense of independent risk managers and control personnel.
Source: Senior Supervisors Group: Risk Management Lessons From the Global Banking Crisis of 2008
Why has it suddenly become important?
© Risk Oversight Inc.
10
REASON #2 linked to REASON #1 - Boards have recently (in
2010) been explicitly told by Canadian and U.S. regulators
they are “on the hook” for risk oversight
Disclosure regarding oversight and management of risks should indicate:
•the board’s responsibility for oversight and management of risks, and
•any board and management-level committee to which responsibility for
oversight and management of risks has been delegated.
Source: CSA Staff Notice 58-306 2010 Corporate Governance Compliance Disclosure Review
Dec 2 2010
Why has it suddenly become important?
© Risk Oversight Inc.
11
Canada has provided the clearest expectations to date
The disclosure should provide insight into:
• the development and periodic review of the issuer’s risk profile
• the integration of risk oversight and management into the issuer’s
strategic plan
• the identification of significant elements of risk management, including
policies and procedures to manage risk, and
• the board’s assessment of the effectiveness of risk management policies
and procedures, where applicable.
Source: CSA Staff Notice 58-306 2010 Corporate Governance Compliance Disclosure Review
Dec 2 2010
What do the new disclosure rules require?
© Risk Oversight Inc.
12
What the U.S. wants is still at an embryonic stage
(read “vague and open to interpretation”)
Disclosure about the board’s involvement in the oversight of the
risk management processes should provide important
information to investors about how a company perceives the role
of its board and the relationship between the board and senior
management in managing the material risks facing the company.
Source: SEC Release Nos. 33-9089 Proxy Disclosure Enhancements page 44
What do the new disclosure rules require?
© Risk Oversight Inc.
13
What should a Board want?
1. Adequate, timely, and relevant information on
residual risk status – current and linked to the
organization’s strategic plan – a consolidated report
on residual risk status.
2. Independent assurance on the reliability of the
consolidated report on residual risk status provided
by management from the internal audit function or
an outside source if the company has no IA function
Unfortunately, very few boards
currently get this information
© Risk Oversight Inc.
14
Canadian Regulators:
In December 2010 CSA inferred they weren’t happy, described what they
want to see, and stated:
In light of ongoing international developments
regarding the disclosure of risk management
practices, this is an area that we will continue
to monitor.
Source: CSA Staff Notice 58-306
How have companies responded?
© Risk Oversight Inc.
15
Surveys done by Deloitte, PwC, RIMS, ermINSIGHTS, law firms and others in the U.S. have found:
1. Quality of disclosure is highly
variable.
2. Some companies have not
complied, or provided largely
useless boilerplate.
3. Some companies have done a
good job explaining how the
board of directors oversees
risk.
How have companies responded?
© Risk Oversight Inc.
16
Scans we have done of Canadian public company
filings in 2011 suggest that
many Canadian companies, including financial service
companies, are not complying with the CSA
Staff Notice 58-306 risk oversight disclosure
expectations noted earlier
in this presentation.
How have companies responded?
© Risk Oversight Inc.
17
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy – A Rolls Royce
Disclosure
The Board’s Role in Risk Management
The Board’s responsibilities include ensuring that the assets of the Company are properly
safeguarded, that the appropriate financial and other internal controls are maintained and that the
Company’s business is conducted wisely and in compliance with applicable laws and regulations
and proper governance.
Included in these responsibilities is the Board’s understanding and oversight of the various
risks facing the Company.
The Board does not view risk in isolation. Risks are considered in virtually every business decision
and as part of the Company’s business strategy. The Board recognizes that it is neither possible nor
prudent to eliminate all risk. Indeed, purposeful and appropriate risk-taking is essential for the
Company to be competitive on a global basis and to achieve the objectives set forth in its 2020
Vision.
Continued…
How have companies responded?
© Risk Oversight Inc.
18
The Board’s Role in Risk Management
…Effective risk oversight is an important priority of the Board. The Board has
implemented a risk governance framework designed to:
•understand critical risks in the Company’s business and strategy;
•allocate responsibilities for risk oversight among the full Board and its committees;
•evaluate the Company’s risk management processes and whether they are functioning adequately;
•facilitate open communication between management and Directors; and
•foster an appropriate culture of integrity and risk awareness.
Continued…
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
How have companies responded?
© Risk Oversight Inc.
19
The Board’s Role in Risk Management
…While the Board oversees risk management, Company management is charged with
managing risk.
The Company has robust internal processes and a strong internal control environment which
facilitate the identification and management of risks and regular communication with the
Board.
These include an enterprise risk management program, a risk management committee
co-chaired by the Chief Financial Officer and the General Counsel, regular internal
management disclosure committee meetings, Codes of Business Conduct, robust
product quality standards and processes, a strong ethics and compliance office and a
comprehensive internal and external audit process.
Continued…
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
How have companies responded?
© Risk Oversight Inc.
20
The Board’s Role in Risk Management
The Board and the Audit Committee monitor and evaluate the effectiveness of the
internal controls and the risk management program at least annually.
Management communicates routinely with the Board, Board committees and individual
Directors on the significant risks identified and how they are being managed. Directors are
free to, and indeed often do, communicate directly with senior management.
The Board implements its risk oversight function both as a whole and through delegation to
Board committees, which meet regularly and report back to the full Board. All committees
play significant roles in carrying out the risk oversight function. In particular…
Continued…
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
How have companies responded?
© Risk Oversight Inc.
21
The Board’s Role in Risk Management
•The Audit Committee oversees risks related to the Company’s financial statements, the
financial reporting process, accounting and legal matters. The Audit Committee oversees the
internal audit function and the Company’s ethics programs, including the Codes of Business
Conduct. The Audit Committee members meet separately with the Company’s General
Counsel, Chief of Internal Audit and representatives of the independent auditing firm.
•The Compensation Committee evaluates the risks and rewards associated with the
Company’s compensation philosophy and programs. As discussed in more detail in the
Compensation Discussion and Analysis beginning on page 50, the Compensation Committee
reviews and approves compensation programs with features that mitigate risk without
diminishing the incentive nature of the compensation. Management discusses with the
Compensation Committee the procedures that have been put in place to identify and mitigate
potential risks in compensation.
Continued…
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
How have companies responded?
© Risk Oversight Inc.
22
The Board’s Role in Risk Management
•The Finance Committee oversees certain financial matters and risks relating to pension plan
investments, currency risk and hedging programs, mergers and acquisitions and capital
projects
•The Public Issues and Diversity Review Committee oversees issues that could pose
significant reputational risk to the Company.
•The Management Development Committee oversees management development and
succession planning across senior management positions.
Continued…
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
How have companies responded?
© Risk Oversight Inc.
23
How have companies responded?
The Board’s Role in Risk Management
... In addition, annually, one meeting of the full Board is dedicated primarily to
evaluating and discussing risk, risk mitigation strategies and the Company’s internal
control environment.
Topics examined at this meeting include, but are not limited to, financial risks, political and
regulatory risks, legal risks, supply chain and quality risks, information technology risks,
economic risks and risks related to the Company’s transformation efforts. Because overseeing
risk is an ongoing process and inherent in the Company’s strategic decisions, the Board also
discusses risk throughout the year at other meetings in relation to specific proposed
actions….
Source: The Coca Cola Company 2010 Proxy, page 30-31 (http://bit.ly/o8xWJF)
Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy
© Risk Oversight Inc.
24
In Canada – provide what CSA say they want – insight in to:
• development and review of issuer’s “risk profile”
• integration of risk oversight/management and strategic
planning
• identification of significant elements of risk
management
• the board’s assessment of the effectiveness of risk
management policies and procedures
Attributes of “excellent” RO disclosures
© Risk Oversight Inc.
25
In the U.S. it isn’t clear what the SEC wants. It’s subject to “best
guess” interpretation. Some “best guesses” from informed
sources:
Deloitte did research in 2010 and 2011 and has published some criteria for
risk oversight disclosures – Risk Intelligent Proxy Disclosures.
(http://bit.ly/quRuZN)
PwC has published a summary of opportunities to enhance risk-oversight
practices in “Point of View” May 2010. Key conclusions – there should be
no ambiguity about the board’s responsibility and “the most informative
disclosures shed light on relationships and processes”.
(http://pwc.to/iNBhuJ)
Attributes of “excellent” RO disclosures
© Risk Oversight Inc.
26
Tim’s Best Guesses/Pragmatic Suggestions
Attribute #1
Focus on what institutional investors say they want (see ICGN
Corporate Risk Oversight Guidelines at http://bit.ly/e7tSFu)
Institutional investors have a big influence on stock price.
Attribute #2
Focus on what credit agencies like S&P want. (http://bit.ly/jScZ9q)
They can impact your credit rating, which impacts cost of capital,
which impacts profits, which impacts stock value, which impacts
officer/board remuneration.
Attributes of “excellent” RO disclosures
© Risk Oversight Inc.
27
Tim’s Best Guesses/Pragmatic Suggestions
Attribute #3
Focus on what the regulator (CSA in Canada/SEC in U.S.) say they
want to see and take steps to see if your organization will consider
adopting the “stretch” NACD board risk oversight criteria listed
earlier in this presentation.
Attribute #4
Have processes in place that seek consensus agreement on the
acceptability of residual risk status on high value-adding and
potentially high value-eroding objectives up to, and including, the
board. (i.e what can make us successful and what could hurt/kill us
)
Attributes of “excellent” RO disclosures
© Risk Oversight Inc.
28
• SEC and/or OSC may review and
require you re-file or put you on
their watch list – unlikely but
possible. In the banking sector
regulators may be more aggressive.
• Missed opportunity to influence
share price – particularly with
institutional investors
• Missed opportunity to influence
credit rating
• Jail time and fines for bad
disclosures are very unlikely
What’s the downside if you don’t do a good
job?
© Risk Oversight Inc.
29
Board and senior management may have heightened personal liability risk if they can’t demonstrate due diligence if something
really big goes wrong. So far the Canadian and U.S. civil
standard of care for board oversight of risk is very low.
Delaware directors have a fiduciary duty to set up and oversee a system
that will inform them of material risks. They are liable for breach if they act
in bad faith by not setting up any system, deliberately failing to oversee the
system they do set up, or not heeding the warnings that the system
generates.
Source: Insights: Corporate & Securities Law Advisor - Vol. 24, No. 5, Pgs. 2-10 Disclosing Board's Oversight
Methods Since The SEC Rules Changed, Kathleen Friday, Tracy Crum, and Benjamin Morgan
What’s the downside if you don’t do a good
job?
© Risk Oversight Inc.
30
Company has heightened reputation risk if ERM system allows a negative share impact event that could reasonably have been
prevented.
Some recent examples: UBS, BP Gulf of Mexico, Enbridge Michigan
ROGUE TRADER STORY: UBS Shares Tank After Bank Says
Rogue Trader Lost It $2 BILLION (Sept 15, 2011)
Update: MF Global Client Funds Still Missing (December 29, 2011)
What’s the downside if you don’t do a good
job?
© Risk Oversight Inc.
31
• Huge, unprecedented opportunity to provide value adding support
services for board risk oversight disclosures and overall risk
management. The IIA has announced a new professional certification
– Certification in Risk Management Assurance (“CRMA”) Over 1000
members have already applied for grandfathering.
• Opportunity to comply with IIA Standards – Section 2120 that states
IA “must” assess and presumably report on the effectiveness of the
company’s risk management processes.
• Unfortunately, RO’s surveys suggest many IA departments have
decided not to comply with this professional practice standard.
What’s Internal Audit’s role?
© Risk Oversight Inc.
32
SIMPLY PUT:
Internal Audit’s role should be to ensure
that senior management and the board are
aware of the current residual risk status and
help their organization better meet emerging
risk management and oversight
expectations.
What’s Internal Audit’s role?
© Risk Oversight Inc.
33
SIMPLY PUT:
This should include an annual IIA IPPF
section 2120 report on the effectiveness of the
organization’s risk management processes.
RO recommends these assessments been done
against the NACD/CSA Board risk oversight
expectations.
What’s internal audit’s role?
© Risk Oversight Inc.
35
Risk specialists, ERM sponsor groups and IA should
focus their energy on creating “demand driven
assurance”.
This means developing strategy to shift from the current
predominant “supply driven” ERM/IA initiatives to
“demand driven” where senior management and the board
know what they want/need assurance on and demand it.
This requires educating the board and senior management
on emerging risk oversight expectations.
(See http://riskoversight.ca/ro-regs for details on Canadian and U.S.
expectations)
What’s the role of risk specialists?
© Risk Oversight Inc.
36
Risk specialists need to demand that COSO and/or
the IIA devote more resources to studying why
tens of thousands of ERM initiatives around the
world have either failed badly, or at best sub-
optimized, particularly in many large financial
institutions and take steps to address these ERM
implementation “risks” in their organization.
It doesn’t help if IA does 2120 audits against
flawed risk management criteria – it’s like making
bad practices a law.
What’s the role of risk specialists?
© Risk Oversight Inc.
37
The Risk Oversight website www.riskoversight.ca
home page has a link to a white paper titled:
“The High Cost of “ERM HERD
MENTALITY”
The article details “ERM HERD MENTALITY
WRONG TURNS” and provides
recommendations for “ERM HERD LEADERS”
including COSO, the IIA, the SEC, ISO and others
detailing what needs to change.
What’s the role of risk specialists?
© Risk Oversight Inc.
38
All risk specialists and internal auditors should review in detail
the 20 year update of COSO 92 issued by COSO in December.
Risk Oversight believes that this framework will become the
generally accepted framework for public reporting on internal
control around the world and, more importantly, that the COSO
2012 ED is still “fatally flawed”, particularly with respect to
risk management and risk oversight.
Please take the time to file comments with COSO by the March
31 deadline to prevent the SEC in the U.S. and the CSA in
Canada legislating the use of a flawed framework for public
reporting on risk and control management.
What’s the role of risk specialists?
© Risk Oversight Inc.
39
QUESTIONS?Contact Information:
Tim Leech, Managing Director Global Services
Risk Oversight Inc.
www.riskoversight.ca
www.twitter.com/RiskOversight