what auditors need to know about emerging risk oversight expectations€¦ · ·...

What Auditors Need to Know About Emerging Risk Oversight Expectations

Tim Leech FCA CIA CCCSA CFE

Managing Director Global Services, Risk Oversight Inc.

[email protected]

www.twitter.com/riskoversight

© Risk Oversight Inc.

2

Agenda

• Risk Oversight (“RO”) – what is it?

• Why has it suddenly become important?

• What do the new disclosure rules require?

• What should the Board want?

• How have companies responded?

• Attributes of “excellent” RO disclosures

• What’s the downside if you don’t do a good job?

• What’s Internal Audit’s role?

• What’s the role of risk specialist groups?

• Questions


3

There is no generally accepted definition - yet

Risk

Definition: Effect of uncertainty on objectives

(Source: ISO Guide 73 Risk Management - Vocabulary)

o·ver·sight/�ōvər�sīt/Noun – TRICKY DUAL MEANING!!!!!!!

– 1. An unintentional failure to notice or do something.

– 2. The action of overseeing something.

Risk o·ver·sight – the action of overseeing the effect of uncertainty

on objectives not unintentionally failing to see big risks that could

kill the organization. (Tim’s definition, no authoritative support)

Risk Oversight: What is it?


4

Enterprise risk management is a process, effected by the entity’s board

of directors, management, and other personnel, applied in strategy

setting and across the enterprise, designed to identify potential events

that may affect the entity, and manage risk to be within the risk appetite,

to provide reasonable assurance regarding the achievement of objectives Source: COSO’s Enterprise Risk Management – Integrated Framework (2004)

Per COSO ERM 2004 Boards of Directors should

oversee the ERM process and define their “risk

appetite”.

(NOTE: Unfortunately COSO 2012 ED issued Dec 2011 doesn’t appear to put much

emphasis on the critical importance of effective board oversight of management’s

risk appetite/tolerance)



5

Risk Oversight: Reverse Engineered

While risk oversight objectives may vary from company to company, every

board should be certain that:

• the risk appetite implicit in the company’s business model, strategy, and

execution is appropriate

• the expected risks are commensurate with the expected rewards

continued…

Source: NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward



6

While risk oversight objectives may vary from company to company, every

board should be certain that:

•management has implemented a system to manage, monitor, and mitigate

risk, and that system is appropriate given the company’s business model and

strategy

•the risk management system informs the board of the major risks facing the

company

•an appropriate culture of risk-awareness exists throughout the organization

•there is recognition that management of risk is essential to the successful

execution of the company’s strategy

Source: NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward



7

Per COSO 2012 ED – still a “control-centric”

view

The board should be kept appraised of the risks to the achievement of

the entity’s objectives, evaluations of control deficiencies, actions

management is taking to mitigate such deficiencies, and how

management determines that the entity’s internal control system

remains effective.

COSO 2012 ED proposes a relatively passive role for the board. There

is no reference in the ED principles section to the critical role the board

should/must play overseeing that risk is being managed within the

organization’s risk appetite and tolerance. COSO 2012 is not aligned

with the NACD Blue Ribbon principles or emerging regulatory

expectations related to board oversight of risk.(Source: Internal Control –Integrated Framework, Executive Summary, December 2011, COSO page 10)



8

Per the CICA in Canada:The CICA exposure draft on board oversight of risk was

issued in Dec 2010. Comments were due March 31, 2011.

The CICA has not announced when or if the final guidance

will be issued.

Many of those commenting on the CICA board risk

oversight ED raised serious concerns with it.

What we do know is the authors of the CICA guidance

didn’t see IA playing a significant role supporting boards

with their risk oversight duties. IIA Canada filed a response

objecting to this position. Time will tell if the CICA

listened.



9

REASON #1 – The Global Financial Crisis:

Deficient Risk Management/Oversight a Root Cause

• the failure of some boards of directors and senior managers to establish,

measure, and adhere to a level of risk acceptable to the firm;

• compensation programs that conflicted with the control objectives of the

firm;

• inadequate and often fragmented technological infrastructures that

hindered effective risk identification and measurement; and

• institutional arrangements that conferred status and influence on risk takers

at the expense of independent risk managers and control personnel.

Source: Senior Supervisors Group: Risk Management Lessons From the Global Banking Crisis of 2008

Why has it suddenly become important?


10

REASON #2 linked to REASON #1 - Boards have recently (in

2010) been explicitly told by Canadian and U.S. regulators

they are “on the hook” for risk oversight

Disclosure regarding oversight and management of risks should indicate:

•the board’s responsibility for oversight and management of risks, and

•any board and management-level committee to which responsibility for

oversight and management of risks has been delegated.

Source: CSA Staff Notice 58-306 2010 Corporate Governance Compliance Disclosure Review

Dec 2 2010

Why has it suddenly become important?


11

Canada has provided the clearest expectations to date

The disclosure should provide insight into:

• the development and periodic review of the issuer’s risk profile

• the integration of risk oversight and management into the issuer’s

strategic plan

• the identification of significant elements of risk management, including

policies and procedures to manage risk, and

• the board’s assessment of the effectiveness of risk management policies

and procedures, where applicable.

Source: CSA Staff Notice 58-306 2010 Corporate Governance Compliance Disclosure Review

Dec 2 2010

What do the new disclosure rules require?


12

What the U.S. wants is still at an embryonic stage

(read “vague and open to interpretation”)

Disclosure about the board’s involvement in the oversight of the

risk management processes should provide important

information to investors about how a company perceives the role

of its board and the relationship between the board and senior

management in managing the material risks facing the company.

Source: SEC Release Nos. 33-9089 Proxy Disclosure Enhancements page 44

What do the new disclosure rules require?


13

What should a Board want?

1. Adequate, timely, and relevant information on

residual risk status – current and linked to the

organization’s strategic plan – a consolidated report

on residual risk status.

2. Independent assurance on the reliability of the

consolidated report on residual risk status provided

by management from the internal audit function or

an outside source if the company has no IA function

Unfortunately, very few boards

currently get this information


14

Canadian Regulators:

In December 2010 CSA inferred they weren’t happy, described what they

want to see, and stated:

In light of ongoing international developments

regarding the disclosure of risk management

practices, this is an area that we will continue

to monitor.

Source: CSA Staff Notice 58-306

How have companies responded?


15

Surveys done by Deloitte, PwC, RIMS, ermINSIGHTS, law firms and others in the U.S. have found:

1. Quality of disclosure is highly

variable.

2. Some companies have not

complied, or provided largely

useless boilerplate.

3. Some companies have done a

good job explaining how the

board of directors oversees

risk.



16

Scans we have done of Canadian public company

filings in 2011 suggest that

many Canadian companies, including financial service

companies, are not complying with the CSA

Staff Notice 58-306 risk oversight disclosure

expectations noted earlier

in this presentation.



17

Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy – A Rolls Royce

Disclosure

The Board’s Role in Risk Management

The Board’s responsibilities include ensuring that the assets of the Company are properly

safeguarded, that the appropriate financial and other internal controls are maintained and that the

Company’s business is conducted wisely and in compliance with applicable laws and regulations

and proper governance.

Included in these responsibilities is the Board’s understanding and oversight of the various

risks facing the Company.

The Board does not view risk in isolation. Risks are considered in virtually every business decision

and as part of the Company’s business strategy. The Board recognizes that it is neither possible nor

prudent to eliminate all risk. Indeed, purposeful and appropriate risk-taking is essential for the

Company to be competitive on a global basis and to achieve the objectives set forth in its 2020

Vision.

Continued…



18


…Effective risk oversight is an important priority of the Board. The Board has

implemented a risk governance framework designed to:

•understand critical risks in the Company’s business and strategy;

•allocate responsibilities for risk oversight among the full Board and its committees;

•evaluate the Company’s risk management processes and whether they are functioning adequately;

•facilitate open communication between management and Directors; and

•foster an appropriate culture of integrity and risk awareness.

Continued…

Example of Risk Oversight Disclosure: Coca Cola 2010 Proxy



19


…While the Board oversees risk management, Company management is charged with

managing risk.

The Company has robust internal processes and a strong internal control environment which

facilitate the identification and management of risks and regular communication with the

Board.

These include an enterprise risk management program, a risk management committee

co-chaired by the Chief Financial Officer and the General Counsel, regular internal

management disclosure committee meetings, Codes of Business Conduct, robust

product quality standards and processes, a strong ethics and compliance office and a

comprehensive internal and external audit process.

Continued…




20


The Board and the Audit Committee monitor and evaluate the effectiveness of the

internal controls and the risk management program at least annually.

Management communicates routinely with the Board, Board committees and individual

Directors on the significant risks identified and how they are being managed. Directors are

free to, and indeed often do, communicate directly with senior management.

The Board implements its risk oversight function both as a whole and through delegation to

Board committees, which meet regularly and report back to the full Board. All committees

play significant roles in carrying out the risk oversight function. In particular…

Continued…




21


•The Audit Committee oversees risks related to the Company’s financial statements, the

financial reporting process, accounting and legal matters. The Audit Committee oversees the

internal audit function and the Company’s ethics programs, including the Codes of Business

Conduct. The Audit Committee members meet separately with the Company’s General

Counsel, Chief of Internal Audit and representatives of the independent auditing firm.

•The Compensation Committee evaluates the risks and rewards associated with the

Company’s compensation philosophy and programs. As discussed in more detail in the

Compensation Discussion and Analysis beginning on page 50, the Compensation Committee

reviews and approves compensation programs with features that mitigate risk without

diminishing the incentive nature of the compensation. Management discusses with the

Compensation Committee the procedures that have been put in place to identify and mitigate

potential risks in compensation.

Continued…




22


•The Finance Committee oversees certain financial matters and risks relating to pension plan

investments, currency risk and hedging programs, mergers and acquisitions and capital

projects

•The Public Issues and Diversity Review Committee oversees issues that could pose

significant reputational risk to the Company.

•The Management Development Committee oversees management development and

succession planning across senior management positions.

Continued…




23



... In addition, annually, one meeting of the full Board is dedicated primarily to

evaluating and discussing risk, risk mitigation strategies and the Company’s internal

control environment.

Topics examined at this meeting include, but are not limited to, financial risks, political and

regulatory risks, legal risks, supply chain and quality risks, information technology risks,

economic risks and risks related to the Company’s transformation efforts. Because overseeing

risk is an ongoing process and inherent in the Company’s strategic decisions, the Board also

discusses risk throughout the year at other meetings in relation to specific proposed

actions….

Source: The Coca Cola Company 2010 Proxy, page 30-31 (http://bit.ly/o8xWJF)



24

In Canada – provide what CSA say they want – insight in to:

• development and review of issuer’s “risk profile”

• integration of risk oversight/management and strategic

planning

• identification of significant elements of risk

management

• the board’s assessment of the effectiveness of risk

management policies and procedures

Attributes of “excellent” RO disclosures


25

In the U.S. it isn’t clear what the SEC wants. It’s subject to “best

guess” interpretation. Some “best guesses” from informed

sources:

Deloitte did research in 2010 and 2011 and has published some criteria for

risk oversight disclosures – Risk Intelligent Proxy Disclosures.

(http://bit.ly/quRuZN)

PwC has published a summary of opportunities to enhance risk-oversight

practices in “Point of View” May 2010. Key conclusions – there should be

no ambiguity about the board’s responsibility and “the most informative

disclosures shed light on relationships and processes”.

(http://pwc.to/iNBhuJ)



26

Tim’s Best Guesses/Pragmatic Suggestions

Attribute #1

Focus on what institutional investors say they want (see ICGN

Corporate Risk Oversight Guidelines at http://bit.ly/e7tSFu)

Institutional investors have a big influence on stock price.

Attribute #2

Focus on what credit agencies like S&P want. (http://bit.ly/jScZ9q)

They can impact your credit rating, which impacts cost of capital,

which impacts profits, which impacts stock value, which impacts

officer/board remuneration.



27

Tim’s Best Guesses/Pragmatic Suggestions

Attribute #3

Focus on what the regulator (CSA in Canada/SEC in U.S.) say they

want to see and take steps to see if your organization will consider

adopting the “stretch” NACD board risk oversight criteria listed

earlier in this presentation.

Attribute #4

Have processes in place that seek consensus agreement on the

acceptability of residual risk status on high value-adding and

potentially high value-eroding objectives up to, and including, the

board. (i.e what can make us successful and what could hurt/kill us

)



28

• SEC and/or OSC may review and

require you re-file or put you on

their watch list – unlikely but

possible. In the banking sector

regulators may be more aggressive.

• Missed opportunity to influence

share price – particularly with

institutional investors

• Missed opportunity to influence

credit rating

• Jail time and fines for bad

disclosures are very unlikely

What’s the downside if you don’t do a good

job?


29

Board and senior management may have heightened personal liability risk if they can’t demonstrate due diligence if something

really big goes wrong. So far the Canadian and U.S. civil

standard of care for board oversight of risk is very low.

Delaware directors have a fiduciary duty to set up and oversee a system

that will inform them of material risks. They are liable for breach if they act

in bad faith by not setting up any system, deliberately failing to oversee the

system they do set up, or not heeding the warnings that the system

generates.

Source: Insights: Corporate & Securities Law Advisor - Vol. 24, No. 5, Pgs. 2-10 Disclosing Board's Oversight

Methods Since The SEC Rules Changed, Kathleen Friday, Tracy Crum, and Benjamin Morgan


job?


30

Company has heightened reputation risk if ERM system allows a negative share impact event that could reasonably have been

prevented.

Some recent examples: UBS, BP Gulf of Mexico, Enbridge Michigan

ROGUE TRADER STORY: UBS Shares Tank After Bank Says

Rogue Trader Lost It $2 BILLION (Sept 15, 2011)

Update: MF Global Client Funds Still Missing (December 29, 2011)


job?


31

• Huge, unprecedented opportunity to provide value adding support

services for board risk oversight disclosures and overall risk

management. The IIA has announced a new professional certification

– Certification in Risk Management Assurance (“CRMA”) Over 1000

members have already applied for grandfathering.

• Opportunity to comply with IIA Standards – Section 2120 that states

IA “must” assess and presumably report on the effectiveness of the

company’s risk management processes.

• Unfortunately, RO’s surveys suggest many IA departments have

decided not to comply with this professional practice standard.

What’s Internal Audit’s role?


32

SIMPLY PUT:

Internal Audit’s role should be to ensure

that senior management and the board are

aware of the current residual risk status and

help their organization better meet emerging

risk management and oversight

expectations.

What’s Internal Audit’s role?


33

SIMPLY PUT:

This should include an annual IIA IPPF

section 2120 report on the effectiveness of the

organization’s risk management processes.

RO recommends these assessments been done

against the NACD/CSA Board risk oversight

expectations.

What’s internal audit’s role?


34

An example of a risk maturity model


35

Risk specialists, ERM sponsor groups and IA should

focus their energy on creating “demand driven

assurance”.

This means developing strategy to shift from the current

predominant “supply driven” ERM/IA initiatives to

“demand driven” where senior management and the board

know what they want/need assurance on and demand it.

This requires educating the board and senior management

on emerging risk oversight expectations.

(See http://riskoversight.ca/ro-regs for details on Canadian and U.S.

expectations)

What’s the role of risk specialists?


36

Risk specialists need to demand that COSO and/or

the IIA devote more resources to studying why

tens of thousands of ERM initiatives around the

world have either failed badly, or at best sub-

optimized, particularly in many large financial

institutions and take steps to address these ERM

implementation “risks” in their organization.

It doesn’t help if IA does 2120 audits against

flawed risk management criteria – it’s like making

bad practices a law.



37

The Risk Oversight website www.riskoversight.ca

home page has a link to a white paper titled:

“The High Cost of “ERM HERD

MENTALITY”

The article details “ERM HERD MENTALITY

WRONG TURNS” and provides

recommendations for “ERM HERD LEADERS”

including COSO, the IIA, the SEC, ISO and others

detailing what needs to change.



38

All risk specialists and internal auditors should review in detail

the 20 year update of COSO 92 issued by COSO in December.

Risk Oversight believes that this framework will become the

generally accepted framework for public reporting on internal

control around the world and, more importantly, that the COSO

2012 ED is still “fatally flawed”, particularly with respect to

risk management and risk oversight.

Please take the time to file comments with COSO by the March

31 deadline to prevent the SEC in the U.S. and the CSA in

Canada legislating the use of a flawed framework for public

reporting on risk and control management.



39

QUESTIONS?Contact Information:

Tim Leech, Managing Director Global Services

Risk Oversight Inc.

[email protected]

www.riskoversight.ca

www.twitter.com/RiskOversight

what auditors need to know about emerging risk oversight expectations€¦ · ·...

Documents