WIXLIB

Governance, Risk Management, andInternal ControlVincent Tophoff, International Federation ofAccountants (IFAC)ICMA PakistanWebinar, May 5, 2015Page 1 Confidential and Proprietary Information

International Federation of Accountants Global organization of the accountancy profession Supports professional accountants in following areas:– Governance and ethics– Risk management and internal control (RM/IC)– Sustainability and corporate responsibility– Financial and performance management– Business reporting– Promoting and contributing to the value of professional accountants All areas of critical importance to professional accountantsPage 2 Confidential and Proprietary Information

Today’s Agenda IFAC Governance Guidance IFAC/CIPFA Public Sector Framework Risk Management & Internal Control COSO / ISO 31000 Standards Risk Management & Internal Control Maturity Professional Accountant “Call to Action” Q&APage 3 Confidential and Proprietary Information

IFAC Governance Guidance

Relation of Governance, RM & ICPage 5 Confidential and Proprietary Information

Global Crisis Global Crisis, according to IFAC research, caused by: Ethical flaws Governance in name, but not in spirit Regulatory overload, leading to legalistic compliance Risk management & internal control too narrowly focused on onlyfinancial reporting controls Conclusions from the crisis: Application of governance principles is often the problem Organizations should also take a broader approach to governancePage 6 Confidential and Proprietary Information

Broader Approach to Governance Governance is not just about protecting shareholders’ interests or a compliance exercise to satisfy the requirements ofregulators Instead, good governance supports building sustainable value inorganizations and societyPage 7 Confidential and Proprietary Information

Conformance and Performance Successful organizations have a governance structure andculture that go beyond conformance with regulations to alsosupport the organization’s efforts to improve its performancePage 8 Confidential and Proprietary Information

Governance integrated inDrivers of Sustainable Organizational Success:Page 9 Confidential and Proprietary Information

IFAC/CIPFA Public Sector Framework

Public Sector Governance: Analyzing the Environment What are the main challenges for good governance inpublic sector organizations?– Sovereign debt crisis– Shortage of funding / rationalization– Short-termism– Internationalization, technology, complexity– CorruptionPage 11 Confidential and Proprietary Information

Public Sector Governance: Analyzing the Environment What can a governance framework accomplish?– Establish a benchmark for good governance– Serve as a reference point for those developing or reviewing nationalcodes– Help public sector organizations continually improve governancesystems– Where no code/guidance exists, provide: A shared understanding of what constitutes good governance A powerful stimulus for positive actionPage 12 Confidential and Proprietary Information

Good Governance in the Public Sector:An International FrameworkPage 13 Confidential and Proprietary Information

Public Sector Governance: International Reference GroupYoseph AsmelashUnited National Conference on Trade & Development (UNCTAD)Ian BallFormerly IFACAndreas BergmannInternational Public Sector Accounting Standards Board (IPSASB)Jón BlöndalOrganisation for Economic Co-operation & Development (OECD)Carlo CottarelliInternational Monetary Fund (IMF)Robert DaceyUS Government Accountability Office (GAO)Steve FreerFormerly CIPFAGert JönssonInternational Organization of Supreme Audit Institutions (INTOSAI)Mervyn KingKing Committee on Corporate GovernanceIan McPheeAustralian National Audit OfficeMaurice McTigueGeorge Mason University (USA)Roger TaborProfessional Accountants in Business Committee, IFACPage 14 Confidential and Proprietary Information

Public Sector Governance: Framework LayoutFramework: Foreword by Mervyn King, Chair, IIRC, and King Report, South Africa Definitions Principles-based to maximize relevance, applicability Sub-principles and supporting guidance to provide explanationSupplement: Examples– Provide practical experience and aid understanding Evaluation questions to consider Further readingPage 15 Confidential and Proprietary Information

Public Sector Governance: Fundamental FunctionThe fundamentalfunction of goodgovernance in the publicsector is to ensure thatentities achieve theirintended outcomes whileacting in the publicinterest at all times. Good governancetied to:– Achieving intendedoutcomes– Acting in the publicinterest at all timesPage 16 Confidential and Proprietary Information

Public Sector Governance: Achieving Intended OutcomesWhile Acting in the Public Interest at all TimesPage 17 Confidential and Proprietary Information

Public Sector Governance: Explicit Attention to ManagingRisk “Proper risk assessment assists public sector entities inmaking informed decisions about the level of risk they areprepared to take, and implementing the necessarycontrols, in pursuit of the entities’ objectives.” “Effective risk management better enables public sectorentities to achieve their objectives, while operatingeffectively, efficiently, ethically, and legally.” “Governing bodies should ensure that entities haveeffective risk management arrangements in place.”Page 18 Confidential and Proprietary Information

Public Sector Governance: Explicit Attention to InternalControl “Internal control supports a public sector entity in achievingits objectives by managing its risks while complying withrules, regulations, and organizational policies.” “Controls are a means to an end: the effective managementof risks enables an entity to achieve its objectives.” “Public sector entities should also consider the need toremain agile, avoid over-control, and not become overlybureaucratic.”Page 19 Confidential and Proprietary Information

Risk Management & Internal Control

Serious Risk Management & Internal Control Flaws Having a compliance-only mentality Treating risk as only negative and overlooking idea thatentities need to take risk in pursuit of their objectives Risk management & internal control that is overly focusedon external financial reporting Regarding risk management & internal control as aseparate function or process Viewing risk management & internal control aspredominantly important for operationsPage 21 Confidential and Proprietary Information

Current Thinking About RiskThe safest place for a ship is to stay in the harborBut that’s not what ships were made for Page 22 Confidential and Proprietary Information

Current Thinking About Risk Instead, ships were made to transport people & goods toother destinations And that involves risk So, what is risk? Risk is defined as the “effect of uncertainly on (setting andachieving the organization’s) objectives” (ISO 31000) No Objectives No Risk Therefore, risk should always be assessed in light of(setting and achieving) the organization’s objectives!Page 23 Confidential and Proprietary Information

Current Thinking About Risk ManagementQ: How does your organization address uncertainty inachieving its strategic objectives?A: Through our strategic management system– Line management engaged in plan-do-check-act cycle– Focused on achieving the organization’s objectivesQ: How does your organization address risk?A: Through our risk management system– (Separate) risk and control system, staff functionaries, risk register– Focus on mitigating riskPage 24 Confidential and Proprietary Information

Current Thinking About Risk ManagementWhat does this example tell us? That we, risk management professionals, have madegreat progress in the area of risk management & internalcontrol .But that we, in the process, lost the other people in ourorganization!Risk ManagementRest of the organizationPage 25 Confidential and Proprietary Information

Current Thinking About Risk ManagementFive lines of defense:Page 26 Confidential and Proprietary Information

Current Thinking About Risk ManagementFive lines of defense:1. Players2. Captain3. Coach4. Referee5. PFF/FIFAPage 27 Confidential and Proprietary Information

Current Thinking About Risk ManagementFive lines of defense:1. Players (Operational Staff)2. Captain (Supervisor /Line Manager)Line3. Coach (Risk Manager)4. Referee (Internal Auditor)Support5. PFF/ FIFA (External Auditor)Page 28 Confidential and Proprietary Information

Current Thinking About Internal ControlFromToHindering theorganizationEnabling theorganizationGood internal control The Invisible HandPage 29 Confidential and Proprietary Information

Main Objective of an Organization Is not to have effectivecontrols Is not to effectively managerisk But to Properly set & achieve itsobjectives Better adapt to surprises anddisruptions And create sustainable valuePage 30 Confidential and Proprietary Information

Risk Is Inherent to Setting Your ObjectivesPage 31 Confidential and Proprietary Information

Achieving Your Objectives Through Planning & ControlACPDStrategic, tactical, andoperational planning & controlcyclesPage 32 Confidential and Proprietary Information

RM/IC Integral to Achieving Your ObjectivesPage 33 Confidential and Proprietary Information

From Bolt-on to Built-inManaging Risk as an Integral Part of Managing an OrganizationPage 34 Confidential and Proprietary Information

COSO Frameworks

2013 COSO Internal Control CubePage 36 Confidential and Proprietary Information

2004 COSO ERM CubeWill be revisedsoon!Page 37 Confidential and Proprietary Information

COSO IC vs. COSO ERMPage 38 Confidential and Proprietary Information

ISO 31000 Risk Management Standard

ISO 31000 Principles, Framework & ProcessPage 40 Confidential and Proprietary Information

ISO 31000 Risk Management Principles Creates Value Integral Part of Organizational Processes Part of Decision Making Explicitly Addresses Uncertainty Systematic, Structured & Timely Based on “Best Available Information” Tailored Considers Human & Cultural Factors Transparent & Inclusive Dynamic, Iterative & Responsive to Change Facilitates Continuous ImprovementPage 41 Confidential and Proprietary Information

ISO 31000 Risk Management FrameworkPage 42 Confidential and Proprietary Information

ISO 31000 Risk Management ProcessTo be applied inevery decisionmaking processand subsequentexecution!Page 43 Confidential and Proprietary Information

COSO ERM vs. ISO 31000Many organizations use both COSO ERM & ISO 31000 COSOLengthyFocused on ERMOne cubeSkewed to negativeRisk already existsRisk & opportunitiesMore sequential processISO 31000vs.vs.vs.vs.vs.vs.vs.ShortGeneral approach to managing riskPrinciples, framework & processRisk can be positive or negativeRisk tied to achieving objectivesOpportunities also source of riskMore iterative process Biggest challenge is that concepts are not alignedPage 44 Confidential and Proprietary Information

Risk Management & Internal Control Maturity

RM/IC Maturity LevelsPage 46 Confidential and Proprietary Information

Thoughts on Assessing RM/IC Maturity Consult and Communicate!Consider good practice developmentsUse the FrameworksPerform gap analysisDetermine performanceLook at audit resultsAnalyze serious flaws Continuously move to improvement!Page 47 Confidential and Proprietary Information

RM/IC Maturity: Continuous ImprovementFrom RM/IC as objective in itselftoFrom Auditor / staff driventoFrom Rules-basedtoFrom Off-the-shelf systemstoFrom Focused on loss minimization toFrom Mainly hard controlstoFrom ImposedtoFrom Stand-alone / “bolt-on”toFrom Static, out-of-datetoFrom Seen as overheadtoFrom AbandonedtoRM/IC to help achieve objectivesDriven from top downPerformance & principles-basedTailored to the organizationAlso focused on value creationRecognizing culture & attitudeImplemented organicallyIntegrated / ”built-in”Dynamic, evolvingSeen as a sound investmentIntegrated in governancePage 48 Confidential and Proprietary Information