Upgrading Risk Management and Internal Control in Your Organization

2,662 views
2,276 views

Published on

Presentation by Vincent Tophoff, IFAC Senior Technical Manager and J. Stephen McNally, Campbell Soup Company Finance Director and Comptroller at the IMA Annual Conference and Exposition, June 2014

Published in: Business

Upgrading Risk Management and Internal Control in Your Organization

  1. 1. Upgrading Risk Management and Internal Control in Your Organization J. Stephen McNally, Campbell Soup & Vincent H. Tophoff, IFAC
  2. 2. Agenda
  3. 3. Upgrading RM/IC in Your Organization  Current Considerations  Assessing RM/IC Maturity Stage  A Case Study  Recap & Call to Action
  4. 4. Current Considerations
  5. 5. Serious RM/IC Flaws • Having a compliance-only mentality • Treating risk as only negative and overlooking idea that organizations need to take risk in pursuit of their objectives • RM/IC that is overly focused on external financial reporting • Regarding RM/IC as a separate function or process • Viewing risk management as predominantly important for operations
  6. 6. Bad vs. Good RM/IC Practices RM/IC as objective in itself vs. RM/IC to help achieve objectives Auditor / staff driven vs. Driven from top down Rules-based vs. Performance & principles-based Off-the-shelf systems vs. Tailored to the organization Focused on loss minimization vs. Also focused on value creation Mainly hard controls vs. Recognizing culture & attitude Imposed vs. Implemented organically Stand-alone / “bolt-on” vs. Integrated / ”built-in” Static, out-of-date vs. Dynamic, evolving Seen as overhead vs. Seen as a sound investment Abandoned vs. Integrated in governance
  7. 7. 2013 COSO Internal Control Cube
  8. 8. 2004 COSO ERM Cube
  9. 9. COSO IC vs. COSO ERM
  10. 10. ISO 31000 Principles, Framework & Process
  11. 11. COSO ERM vs. ISO 31000 Many entities use both COSO ERM & ISO 31000… … Biggest challenge is that concepts are not aligned COSO ISO 31000 Lengthy vs. Short Focused on ERM vs. General approach to managing risk One cube vs. Principles, framework & process Skewed to negative vs. Risk can be positive or negative Risk already exists vs. Risk tied to achieving objectives Risk & opportunities vs. Opportunities also source of risk More sequential process vs. More iterative process
  12. 12. Relation of Governance, RM & IC • How do you think that governance, risk management, and internal control are related to each other?
  13. 13. Relation of Governance, RM & IC
  14. 14. Assessing RM/IC Maturity Stage
  15. 15. • Is not to have effective controls… • Is not to effectively manage risk… But to • Properly set & achieve your objectives • Avoid too many surprises along the way • And create sustainable value Main Objective of RM/IC
  16. 16. Governance comprises the arrangements (plan, do, check, and act) put in place to ensure that the intended objectives are defined and achieved • RM/IC are integral part of that! RM/IC Integral Part of Good Governance
  17. 17. Relation of Risk Management & Internal Control
  18. 18. Achieving Objectives Through G/RM/IC
  19. 19. RM/IC Maturity Levels
  20. 20. • Use the Frameworks • Consider good practice developments • Perform gap analysis • Determine performance • Look at audit results • Analyze serious flaws • … • Continuously move to improvement! Thoughts on Assessing RM/IC Maturity
  21. 21. Table Discussions • What is the maturity of risk management & internal control at your organization?
  22. 22. A Case Study
  23. 23. My COSO Story U.S. SOX Act 1992 COSO Cube + =
  24. 24. The Evolution SOX Compliance Control Self- Assessment CFO Protocol 2004 2006 2009 • Annual site visits • Content: “Tone”, Financial, I/C • Focus: Location-specific risks • Execute “formal” procedures • Issue “trip report”
  25. 25. My Challenge • First CFO Protocol ever completed • No specific guidance/ expectations • Cross-functional/ multi-location team • No “big picture” flow diagram and/or procedural documentation • No defined risks/ internal controls CFO Protocol: N/A Co-Manufacturing Operations
  26. 26. Our Scope In-Scope Oversight activities to: • Identify • Select; and • Manage ongoing co-manufacturing partner relationships Out-of-Scope • Co-manufacturing partners themselves • Non-CNA businesses: o Canada o Latin America o Pepperidge Farm • Special pack business
  27. 27. Our Game Plan Step 1 Obtain “big picture” overview Step 9 Step 8 Step 7 Step 6 Step 5 Step 4 Step 3 Step 2 Define testing protocol Walkthrough co-mfg processes Define key controls Identify key risks Test key controls Align findings & recommendations Issue final report Determine co-manufacturing objectives
  28. 28. Co-Manufacturing Processes • New partner selection & contracts • Supply Base Quality System Assessments • Formula management & mock recalls • Cost standards & inventory management • Capital investments & fixed assets • Business continuity planning • Other
  29. 29. Entity Structure = CFO Protocol Scope Entity Structure Components CNA Co-Mfg. Operations • Campbell Soup Company o Campbell North America  U.S. Retail  CNA Supply Chain ‒ Napoleon Plant • Global Procurement • Other: Legal, Quality, etc.
  30. 30. Objectives Entity Structure Components CNA Co-Mfg Operations • Strategic • Operational • Internal Reporting • Compliance
  31. 31. Components: Internal Environment Entity Structure Components Encompasses the tone of an organization… What is the internal philosophy and culture?
  32. 32. Components: Objective Setting Entity Structure Components Objectives are a prerequisite… What are we trying to accomplish? Leverage external partners to: - Meet new Brand requirements - Optimize total delivered cost - Address supply chain capacity
  33. 33. Components: Event Identification Entity Structure Components In terms of internal & external events… What could stop us from achieving our objectives? Co-Mfg Risks: - Product quality - Partner’s financial stability - Formula management - Business continuity
  34. 34. Components: Risk Assessment Entity Structure Components Analyze risks to determine how they should be managed… • How good or bad are these events? • Will they really happen?
  35. 35. Components: Risk Response Entity Structure Components What can we do to manage the identified risk? What are the options? • Avoid? • Accept? • Reduce? • Share? • Exploit?
  36. 36. Components: Control Activities Entity Structure Components What policies & procedures should be established to manage the risks as desired? Co-Mfg. Controls: - Quality audits & mock recalls - Co-Man & D&B reporting - Formula Management - Annual BCP review & testing
  37. 37. Components: Information & Communication Entity Structure Components How will we obtain information and communicate? What information is relevant to enable people to carry out their responsibilities? Co-Mfg: - Partner relationship manager - Cross-functional team meetings - Standardized reporting
  38. 38. Components: Monitoring Entity Structure Components How will we know we achieved what we wanted to accomplish? What ongoing management activities and/or separate evaluations can we leverage? Co-Mfg: - Quarterly business reviews - CFO protocol visit(s) - Internal audits - SAS 70
  39. 39. Recap & Call to Action
  40. 40. • Serious RM/IC flaws • Frameworks and guidance can help • Climbing maturity ladder through continual improvement • Companies like Campbell’s are on this journey • What about you and your organization? Recap
  41. 41. Effective RM/IC & You • How could you more effectively leverage risk management & internal control within your organization?
  42. 42. • Build subject-matter-expertise regarding frameworks, standards & other guidance • Educate audit committee, C-suite, operating unit & functional management • Support line management through provision of high-quality information • Establish good RM/IC for the finance function • Champion importance of continuous RM/IC improvement Management Accountant: Call to Action
  43. 43. 10 Paragon Drive, Suite 1 Montvale, New Jersey 07645-1760 U.S.A. (800) 638-4427 +1 (201) 573-9000 www.imanet.org 10 Paragon Drive, Suite 1 Montvale, New Jersey 07645-1760 U.S.A. (800) 638-4427 +1 (201) 573-9000 www.imanet.org

×