Proformative presents What You Need to Know Now about Managing Governance, Risk & Compliance. Special thanks to Alec Arons, Partner, Tatum.
To download full presentation, visit http://bit.ly/ci0RJs
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
What You Need to Know Now about Managing Governance, Risk & Compliance
1. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
Event Sponsors
2. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
What You Need to Know Now
About Managing Governance,
Risk & Compliance (GRC)
3. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
GRC: What You Need in Your
Toolbox for Success
Alec Arons, Partner, Tatum
4. Agenda
●●●
Background: Unprecedented Market Conditions Demand
New Risk Approach
●●●
Critical Considerations: A New Risk Management Paradigm
for Directors and Management
●●●
Critical Question: Does The Organization Have The
Appropriate Structure and Processes for Managing Risk
●●● Governance, Risk and Compliance (GRC) Framework
●●● Communicating Results
6. Unprecedented Market Conditions Demand New Risk Approach
Financial Crisis SEC
and Recovery Disclosure
Rules
Rating Agency Financial
Scrutiny Reform
7. Growing Expectations for Board Members and Management
• Board
– Exercise greater oversight over risk management.
– Understand the key risks and connect the dots related to achieving business strategy
and compensation programs.
– Evaluate mitigation strategies and processes in place to address critical risk.
– Assess the performance of management.
– Engage management in an open dialogue around risk and share insights.
• Management
– Promote a strong risk management culture.
– Owns risk identification and mitigation.
– Clear understanding of risk appetite across the organization.
– Effective processes for identifying, assessing and monitoring risks.
– Communicate effectively with the board and gain insights as appropriate.
8. Recognition That Work Needs to be Done
• Research conducted by the AICPA and the ERM Initiative at North
Carolina State indicates:
– 63% believe volume and complexity of risks increased extensively in last 5 years
– Over one-third caught “off-guard” by an operational surprise in last 5 years
– 75 % of respondents not reporting top risks to the board
– 48% are unsatisfied with the nature and extent their risk management processes
Source : 2010 Report on the Current State of Enterprise Risk Assessment 2nd edition published by NC State University College of
Management and the AICPA
9. The Current Landscape
• Post -SOX there has been an increased focus on internal controls over financial
reporting.
• Some organizations have implemented ERM or GRC Programs.
• Others are relying on a Silo approach - not working in an integrated way.
• Management is now providing all types of risk related information to the board.
• The challenge many companies are weighing is the balance between Value and Cost
• The opportunity is to engage with the board to get their input on the process.
• What information does the board need and in what form to perform risk oversight?
• How can we as management provide the information in a cost effective and meaningful
way?
• Leading practice suggests implementing a process that links Risks to Business Strategy
• Focus on the 10-15 risks that matter most.
10. A New Risk Management Paradigm for Directors and Management
Board members recognize that they need to have a deeper and broader understanding
of how risks impact overall performance and financial results
Management is under increased pressure to demonstrate they have robust processes
and programs in place to address risks
Current situation demands that companies have a well articulated framework that
captures all of the critical activities in place to address risks
There is an expectation that companies demonstrate that they have created an
effective risk management culture and that risk management activities operate in an
integrated manner
11. Does The Organization Have The Appropriate Structure and
Processes for Managing Risk
Key considerations in preparing for the new proxy disclosures , legislation and rating agency review:
Have we clearly defined individual responsibilities amongst the
board of directors, senior management and operational leaders in
evaluating and monitoring risks?
Have we identified and considered relevant business risks in
developing, reviewing and approving our strategy?
Have we clearly defined and articulated our appetite for risk across
the organization and do our people understand and demonstrate a How do we
commitment to our risk culture? integrate our
activities into a
How effective are our processes, policies and guidelines for
framework that is
assessing, managing, testing and addressing risks?
scalable,
sustainable and
Are we confident that we have appropriate tools for monitoring risk
cost effective to
and evaluating compliance?
our organization?
Are we satisfied that the sensitivity and effectiveness of our
programs will provide early warning of events that could adversely
impact achieving stated business objectives?
12. Elements of an Effective GRC Framework
Governance Structure that establishes clear
levels of accountability for the board of Risk Assessment framework is
directors, senior management and key understood and managed by the
individuals responsible for assessing, business
managing and monitoring risk
Governance Risk
Structure Assessment
Sustainable
Compliance
Process
Sustainable Process that is updated at a
Optimizes investments to date in
minimum annually as part of the annual Compliance programs and activities
business planning process
13. Elements of an Effective Risk Assessment Process
• Clearly defined risk appetite communicated to the board and well understood
throughout the organization.
• High priority placed on identifying those key risks linked to achieving business
strategy and performance objectives.
• Encourage an active dialog across the organization to promote understanding
and facilitate the identification of emerging risks.
• Establish clear accountability for managing risk.
• Well understood metrics to assess the likelihood and impact of risks.
• Ongoing evaluation of systems of internal controls over business processes..
• Mechanism to monitor the effectiveness and sensitivity of risk management and
compliance programs.
• Clearly defined reporting metrics and processes with the board.
14. Leveraging Risk Assessment to Improve Communication
• Engage in a review and discussion of business risks.
• Systematic process to communicate and educate key people at all levels as to
critical risks and overall risk appetite.
• Opportunity to connect the dots and break down silos.
• Identify areas for improvement.
• Establish clear accountability for managing risk.
• Set clear expectations between management and the board on risk metrics and
reporting.
• Assess reporting and governance structure.
• Focus on the key 5 – 10 risks linked to business strategy.
• Develop a framework for sharing information that meets the needs of all parties.
15. Linking GRC to Value Creation
A framework aligned with the strategy for creating shareholder value
Value
Governance Risk Assessment Compliance
Creation
Add Value Sustain Value Minimize Value Erosion
Support activities relating to Ensure that the governance framework, Performing risk management
value creation by identifying and organizational structure, risk activities in an efficient and
mitigating Strategic Risks management activities, and policies and cost effective manner so as not
relating to the achievement of procedures in place are effective in to create a competitive
the business goals creating a well understood disadvantage
Risk Management Culture
16. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
Thank You
18. Financial Crisis
• Timely And Accurate Disclosure?
– Business Deals
– Business Conditions
– Increased Risks
– Asset Values
• Gatekeeper Risk
19. SEC Cases to Watch
• Goldman Sachs
– CDO
• Rorech
– CDS
• Morgan Keegan
– MBS
20. FCPA Developments
• Aggressive DOJ & SEC
• New Investigative Techniques
• Larger Sanctions
• More Individuals
• High Level Of Risk
21. Insider Trading
• Why The SEC Loves Insider Trading
• Market Trends & Risks
– M&A Activity
– Hedge Funds
• New Investigative Tools
• Links v. Sphinx
22. New Specialized Units
• Asset Management
– Hedge Funds, Investment Advisers
– Valuation, Performance, Due Diligence
• Market Abuse Unit
• Structured & New Products
• Municipal Securities & Public Pension
• FCPA
23. Setting The Table
• Faster Subpoenas
• Downstream Autonomy
• Taking Away The 4 Corner
• Clearing Inventory
• Strategic Resource Allocation
• New Cooperation Program
24. Possible Barriers To Action
• Judicial Scrutiny
– Theories
– Relief
• Culture
• SEC v. SDNY
• Resources
25. Protecting The Organization
• Can You Back Up Your Compliance
Defense?
• Common Characteristics Of Charged
Companies
• FCPA Risk Profile
• The Informal Trumps The Formal
• Watch Your Whistle
26. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
Thank You
27. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING AND TREASURY PROFESSIONALS
Putting the Pieces Together as
an Enterprise/Finance Leader
Glenn Robertson, CFO, Havas Digital
28. Interesting Career Timing…
• IAC start date: Sept 11, 2001… 11am
• Revised IAC start date: Sept 17, 2001
• Enron bankruptcy: December 2001
• WorldCom bankruptcy: July 2002
• Sarbanes-Oxley Act: July 2002
• Head of IAC IA Sept 2001 – Nov 2006:
• USA Networks/USA Interactive/InterActiveCorp
• Three changes in CFO
• Three changes in Audit Committee
29. Varied SBU Risk and Control Profiles/Maturity:
• Home Shopping Network
• Ticketmaster
• Expedia
• Entertainment Publications
• Precision Response Corporation
• Lending Tree
• Match.com
• Ask.com
• Tripadvisor.com
• Hotels.com
• Hotwire.com
• Citysearch.com
• Evite.com
30. IAC Implementation of the Framework:
Elements of an Effective GRC Framework:
Governance Structure that establishes
clear levels of accountability for the
Risk Assessment framework is
board of directors, senior management
understood and managed by the
and key individuals responsible for
business
assessing, managing and monitoring
risk
Governance Risk
Structure Assessment
Sustainable
Compliance
Process
Sustainable Process that is updated at a
Optimizes investments to date in
minimum annually as part of the Compliance programs and activities
annual business planning process
32. IAC Implementation of the Framework:
Elements of an Effective GRC Framework:
Governance Structure that establishes
clear levels of accountability for the
Risk Assessment framework is
board of directors, senior management
understood and managed by the
and key individuals responsible for
business
assessing, managing and monitoring
risk
Governance Risk
Structure Assessment
Sustainable
Compliance
Process
Sustainable Process that is updated at a
Optimizes investments to date in
minimum annually as part of the Compliance programs and activities
annual business planning process
33. IAC Implements COSO’s ERM Framework:
Enterprise Risk Management Defined:
“… a process, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and across the enterprise,
designed to identify potential events that may affect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
35. IAC IA Blurs the Lines Suggested by the IIA:
IIA Guidance:
• Play an important role in monitoring
ERM, but do NOT have primary
responsibility for its implementation IAC IA Approach:
or maintenance.
• Assist management and the BOD/Audit
Committee in the process by: IA
•Monitoring IA
•Evaluating IA
IA
•Examining
IA
•Reporting IA
•Recommending improvements
36. IAC Implementation of the Framework:
Elements of an Effective GRC Framework:
Governance Structure that establishes
clear levels of accountability for the
Risk Assessment framework is
board of directors, senior management
understood and managed by the
and key individuals responsible for
business
assessing, managing and monitoring
risk
Governance Risk
Structure Assessment
Sustainable
Compliance
Process
Sustainable Process that is updated at a
Optimizes investments to date in
minimum annually as part of the Compliance programs and activities
annual business planning process
37. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from 4Q2005 Meeting:
• Prepare Integrated 2006 IA Plan
– Conduct annual planning meeting with Businesses in
November/December 2005 to determine risks and integrated
(NonSOX/SOX) IA focus in 2006
• Develop 2006 testing schedule by January 2006
– IAC Internal Audit resources
– Internal Business resources
– PwC resources
• Present & obtain approval of IA and SOX Plans from
IAC Audit Committee
– February 22, 2006
38. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from 4Q2005 Meeting:
• Underlying premise to achievement of business
objectives is the identification and analyses of risks
• There are 3 main risk groups under ERM:
– Environmental: industry, regulation, legal, etc.
– Process: Operations, Empowerment, IT, Integrity,
Financial
– Information for Decision-Making: Operational, Financial,
Strategic
39. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from 4Q2005 Meeting:
• Using ERM, IA has created a tool to help the
B‟s evaluate risks: Business Unit Risk
Evaluation Tool (RET)
• Each business is responsible for reviewing
the risks identified (initially by IA), modifying the
RET and conclude on the OIBA impact and
probability
40. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from 4Q2005 Meeting:
• Discuss and Finalize the 2006 Business Unit
Risk Evaluation Tool (RET)
– Review Risks and Risk Responses (compiled by IA)
– Modify Risks and Risk Responses (B‟s)
– Rate Annual OIBA Impact (B‟s)
– Rate Probability (B‟s)
– Determine whether risks on RET warrant “IA Focus
Area” i.e., IAC internal audit projects for 2006
– Determine overlap and integration with SOX scoping
(see next page)
41. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from Feb 22, 2006 Meeting:
• Issued 108 SOX Testing Reports (STRs)
Tested 1,387 key controls
• Completed 6 „NonSOX‟ audits
2 Risk-Based, 4 Surprise
21 Planned (17 Risk-Based, 4 Surprise)
SOX efforts again delayed a broader focus
• SOX „Year 2‟ Efficiencies:
Eliminated 2,500 hours and $300K in outside temp fees
• RFP‟d, Selected and Implemented new SOX Software
42. IAC IA Annual Approach under COSO ERM:
Actual BOD/AC slide from Feb 22, 2006 Meeting:
• Using elements of COSO’s ERM Framework, performed risk assessment
at each OB; held co-development meetings with divisional senior
management to assess risk areas considering:
Final Strategic Plan
Business profile, product changes
Growth strategy, mergers, acquisitions
Technology environment, financial systems, IT changes
Organizational and personnel changes
Impact on SOX scope
• Risk assessment yielded areas of IA focus for 2006:
Control Activity Testing for SOX
‘NonSOX’ audits addressing Operations and IT risk areas