Corporate Governance and Operations Management

The importance of internal control and expected standards of conduct are established through a tone at the top approach taken by the senior management and board of directions of an entity. The five principles related to the control environment are:

1. Commitment to ethics and integrity 2. board independence and oversight 3. organizational structure 4. commitment to competence 5. accountability (EBOCA--Ethics, board independence, organization structure, commitment to competence, and accountability)

Elements of effectiveness:

1. each component of enterprise risk management must be present and functioning. the components are the effectiveness criteria. 2. There can be no material weaknesses for enterprise risk management to be considered effective.

Many methods can be used to identify events. Workshops and brainstorming sessions might be useful in some instances. Analytics applied to data including trend analysis might also be used. Event identification techniques may include:

1. event inventories 2. internal analysis 3. escalation or threshold triggers 4. Event interdependencies 5. event categories 6. distinguishing risks and opportunities

The sarbanes- oxley act of 2002 requires that issuers must disclose whether or not the issuer has adopted a code of conduct for senior officers. If no code of conduct has been adopted, the issuer must disclose the reasons. The code of ethics contemplates standards that promote:

1. honest and ethical conduct (including handling of conflicts of interest) 2. full, fair,accurate, and timely disclosures in periodic financial reports. 3. compliance with laws, rules and regulations.

Risks are analyzed in relation to their likelihood and their severity and the anticipated risks that continue even after management has taken action. Risk assessment is supported by the following key elements:

1. inherent and residual risk 2. establishing likelihood and impact 3. data sources 4. assessment techniques

The three principles related to information and communications are:

1. obtain and use information (internal audit, audit committee, management) 2. internally communicate information 3. communicate with external parties (customers, investors)

Two principles related to monitoring activities are:

1. ongoing and/or separate evaluations (frequency of testing dictated by risk) 2. communication of deficiencies (report and correct deficiencies)

For ERM, Monitoring should be used to manage risk, 3 ways to do this are:

1. ongoing monitoring activities (dictated by risk) 2. separate evaluations 3. reporting deficiencies

Internal control is a process that is designed and implemented by an organizations management, board of directors and other employees to provide reasonable assurance that will achieve its compliance, operating, and reporting objectives. There are three categories of objectives within the framework:

1. operations objectives 2. reporting objectives 3. compliance objectives

Public companies are responsible for establishing an audit committee that is directly responsible for the appointment, compensation, and oversight of the work of the public accounting firm employed by that public company (also referred to as an issuer)--

1. the auditor reports directly to the audit committee 2. the audit committee is responsible for resolving disputes between the auditor and management

Corporate officials, typically CEO and CFO must sign certain representations regarding annual and quarterly reports, including their assertion that:

1. they have reviewed the report 2. the report does not contain untrue statements or omit material information 3. the financial statements fairly present in all material respects the financial condition and results of operations of the issuer. 4. The CEO and CFO signing the report have assumed responsibility for internal controls including assertions that internal controls have been designed to ensure that material information has been made available, internal controls have been evaluated for effectiveness as of a date within 90 days prior to the report and that their report includes their conclusions as to the effectiveness of internal controls based upon their evaluation. 5. The CEO and CFO signing the report assert that they have made the following disclosures to the issuers auditors and the audit committee: all significant deficiencies in the design or operation of internal controls which might adversely affect the financial statements and any fraud (regardless of materiality) that involves management or any other employee with significant role in internal controls. 6. the CEO and CFO signing the report must also represent whether there have been any significant changes to internal controls.

The ERM identifies numerous types of control activities that might be used to fully respond to risk. The activities include:

1. top level reviews (variance analysis) 2. direct function of activity management 3. information processing 4. physical controls 5. performance indicators ("red flags"; ratio analysis) 6. segregation of duties

Sarbanes- Oxley section 407 requires tha an issuers audit committee have at least one financial expert or disclose why that role is not filled. A financial expert qualifies through education , past experience as a public accountant, or past experience as a principal financial officer, comptroller, or principal accounting officer for an issuer. Knowledge of the financial expert should include:

1. understanding of GAAP 2. experience in the preparation or auditing of financial statements from comparable issuers 3. application of GAAP 4. experience with internal controls 5. understanding of audit committee functions.

Event identification recognizes that occurrences can come from anywhere. Events might be categorized in any number of ways to ensure comprehensive consideration of potential events:

A. External 1. economic 2. natural environment 3. political 4. social 5. technological B. Internal 1. infrastructure (ex. assets, capital, and other resources) 2. personnel 3. process 4. technology

the organization communicates with external parties regarding matters that affect the functioning of internal control

Communicate with External Parties

provides a framework that can be used to evaluate how an organization will respond to risk and how to improve the effectiveness of risk decision making enhancing risk response decisions

ERM

An internal or external occurrence that impacts strategy or the achievement of objectives. May be either positive or negative and may or may not happen. It is the uncertainty along with tis potential severity or benefit that drives the risk assessment and response process; are at the core of the risk assessment process.

Events

the benchmark for strategy setting; the theoretical balance of willingness to accept risk in order to achieve return and growth. Sometimes expressed as a risk-adjusted shareholder value-added measure. Impacts strategy, which in turn impacts resource allocation.

Risk appetite

includes key elements that relate to the policies and procedures that ensure appropriate responses to identified risks.

The control activities component of the ERM framework

includes foundational elements such as organizational structure, assignment of authority and responsibility, integrity and ethical values, risk management philosophy, commitment to competence and human resource standards and similar issues that influence the tone of the organization.

The internal environment component of the enterprise risk management (ERM) framework

A fire at one of the company's major plants reduces operating production by 20% resulting in the company's inability to meet its profitability objectives (goals) for the operating year. This is an example of

negative events

The organization obtains or generates and uses relevant, high quality information to support the functioning of internal control.

obtain and use information

relate to the effectiveness and efficiency of an entity's operations. This category includes financial and operation performance goals as well as ensuring that the assets of the organization are adequately safeguarded against potential losses

operations objectives

positive events that promote achievement of objectives are

opportunities

management establishes an organizational structure, including reporting lines, authorities, and responsibilities, that is appropriate to the organizations objectives

organizational structure

Management establishes the risk appetite of the entity with the

oversight of the board of directors

an assigned employee or manager should compare financial or operating results to predetermined standards. Any material variances should be investigated by the assigned employee.

performance indicators

assets are kept in physically secure locations. A company's legal documents including lending agreements, customer contracts, investment documents and leases should be kept in a locked fire-proof value.

physical controls

_____and _____ should mirror the actions anticipated by the risk response and should be anticipated to be effective

policies and procedures

Risk should be considered entity-wide using a ________. ultimately entities must review their total residual risk in comparison to risk tolerance. Simply put once the organization has done all it can do, is the potential return worth the risk?

portfolio perspective

The improvement in local economic conditions has resulted in more demand for the company's products and an expansion of its customer base.

positive events

a flow chart of activities used to identify potential risks

process flow analysis

ERM devotes time to event identification. Events may be positive (opportunities) or negative (risks). The early identification of events and the establishment of responses to those events reduce surprises and losses or lost opportunities

reducing operational surprises and losses

A company that has had past inventory shortages may elect to invest in inventory technology to more closely monitor inventory levels and avoid the risk of stockouts. This is an example of

reduction

management may elect to reduce or mitigate risk. A response to risk that involves diversification of product offerings, rather than elimination of product offerings

reduction

the risk to an organization that exists after management takes action to mitigate the adverse impact of the event

residual risk

The amount of risk an organization will accept in the pursuit of value maximization is defined by ______. Factors heavily into balancing strategy with return.

risk appetite

The shared beliefs and attitudes of management that impact the entire organization are defined by the

risk management philosophy

the accepted level of variation relative to the achievement of objectives; measured in the same units as those used to measure the related objectives

risk tolerances

Negative events that prevent achievement of objectives are

risks

there should be adequate segregation of the authorization, record keeping, and custodial functions to ensure that no one individual can controls a transaction from beginning to end and thereby manipulate results

segregation of duties

management can better capitalize on opportunities when they know their own entity's strengths and weaknesses and how to use them to maximize profitable opportunities

seizing opportunities

The company may take no action. Self insuring or simply tolerating the full exposure to risk. (low probability; low loss)

acceptance

XYZ company produces widgets which are currently in high demand. Instead of expanding its production capacity to accommodate higher order volumes, the company takes not action and its content with the daily production of widgets generated from its sole operating plant, this is an example of

acceptance

The degree to which individuals are given appropriate authority to hand their responsibilities and the degree to which they are held accountable influences the internal environment

accountability

suggests a strong controls and encourages management to hold individuals accountable for their internal control responsibilities

accountability principle

Objectives ultimately selected and implemented by the organization must not only support the mission, but should also

align with the entity's risk appetite.

Organizations set strategy and objectives based on their individual willingness to bear risk. The levels and types of risk, including the mechanisms used to manage risk, are important themes in ERM

aligning risk appetite and strategy

The intent of ERM is to

allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value

establishes an organization-wide tone that recognizes their authority and promotes accountability of management.

appropriate oversight provided by the board of directors

IN 2004, the COSO issued Enterprise Risk Management (ERM)- integrated framework- to

assist organizations in developing a comprehensive response to risk management

A company with an underperforming product line decides to discontinue the underperforming product line instead of taking steps to improve its performance. This is an example of

avoidance

management may elect to avoid or terminate risk. a response to risk that involves disposal of a business unit, product line or geographical segment.

avoidance

A company that produces perishable food items decides to buy insurance to cover potential losses from spoilage, this is an example of

sharing

management may reduce risk by transferring risk. Insuring against looses or entering into joint ventures to address risk.

sharing

Value is maximized when

strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives

the organization structure should

support the entity's enterprise risk management system

In establishing the likelihood and impact of events, managers should use

the same time horizon as strategic plans

consideres the risk assessment component of internal control and identifies changes in process or risk and verifies that the design of underlying controls remains effective.

change identification

managements specification of required competency levels for each job function establishes the organization-wide expectation of individual and thus corporate competence.

commitment to competence

include adherence to the laws, rules, and regulations associated with operations, including tax and financial reporting compliance, workplace safety, environmental regulations, and other laws.

compliance objectives

the policies and procedures used to effect managements response to risk

control activities

includes the processes, structures, and standards that provide the foundation for an entity to establish a system of internal control.

control environment

IF a director is presented with a business opportunity that is of interest to his corporation, generally the duty of loyalty prohibits the director from taking the opportunity for himself. He must present the opportunity to the corporation and can take the opportunity for himself only if the corporation decides not to take it

corporate opportunity doctrine

generally drawn from past experience with similar events. May include relevant economic data trends, historical industry information, or past company (data) experience.

data sources

review of performance reports and reconciliations by operating managers to ensure the transactions and other operations are executed as prescribed

direct function or activity management

a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite , to provide reasonable assurance regarding the achievement of entity objectives.

enterprise risk management

comparison of activity to predefined criteria may trigger identification of events (variances from standards)

escalation of threshold triggers

Changes in interest rates might impact exchange rates, which could change supplier costs or foreign demand. this is an example of

event interdependencies

lists of potential events common to companies in a particular industry

event inventory

The underlying premise of ERM is that

every entity exists to provide value for stakeholders that all entities face uncertainty (risk), and that management must determine how much uncertainty to accept as it strives to grow stakeholder value.

Gathering management together to discuss or even brainstorm ideas in a structured manner

facilitated workshop

Suggests stronger controls and encourages the company to retain qualified personnel to handle financial reporting

financial reporting competence (commitment to competence)

The commitment to hiring the most qualified people will influence the internal environment. Minimum educational and work experience requirements, background checks, and the like demonstrate human resource commitment and facilitate individual and corporate accountability for new employee hires

human resources standards

the consequence of its occurrence Alternatively referred to as severity or seriousness

impact of an event

management can maximize the efficiency and effectiveness of capital investments, when it has identified the maximum level of risk for a given capital investment

improving deployment of capital

use of common information processing controls such as edit checks, batch totals, etc.

information processing

the risk to an organization that exists if management takes no action to change the likelihood or impact of an adverse event

inherent risk

suggests stronger controls with high standards of ethical conduct for top management

integrity and ethical values principle

analysis performed by internal staff as part of business planning

internal analysis

the organization internally communicates information necessary to support the functioning of internal controls, including relevant objectives and responsibilities

internally communicate information

The COSO identifies four stages of the change continuum:

1. control baseline 2. change identification 3. change management 4. control validation/update

Managements response to risk must allign with the organizations overall risk appetite. Risk response is supported by the following key elements:

1. Evaluating possible responses 2. selected responses 3. portfolio view

Events, both negative (risks) and positive (opportunities) should be identified. Event identification is supported by the following key elements:

1. Events 2. Influencing Factors 3. Event Identification Techniques

Audit committees must establish procedures to accept reports of complaints regarding audit, accounting or internal control issues. Procedures must:

1. accommodate confidential, anonymous reports by employees of the issuer 2. accomodate receipt and retention of complaints as well as a method to address those complaints

As part of their fiduciary responsibilities, directors owe their corporation a duty of loyalty and must act in the best interests of their corporation. The duty of loyalty prohibits directors from competing with the corporation but does not necessarily prohibit directors from transacting business with the corporation. An action in which a director has a conflict of interest will be upheld only if:

1. after full disclosure, the transaction is approved by a disinterested majority of the board of directors or the shareholders; or 2. the transaction was fair and reasonable to the corporation

The ERM framework encompasses the following themes:

1. aligning risk appetite and strategy 2. enhancing risk response decisions 3. reducing operations surprises and losses 4. identifying and managing multiple and cross-enterprise risks 5. seizing opportunities 6. improving deployment of capital

Audit committee members are to be members of the issuer's Board of Directors but also must be otherwise independent. Independence criteria are as follows:

1. audit committee members may not accept compensation from the issuer for consulting or advisory services. 2. Audit committee members may not be an affiliate person of the issuer (affiliation means a person has the ability to influence financial decisions)

Management will generally response to risk in one of four ways:

1. avoidance 2. reduction 3. sharing 4. acceptance

The internal environment component of ERM is similar to the control environment of the internal control framework and defines the tone of the organization. The internal environment component is supported by eight key elements:

1. commitment to ethical values and integrity 2. Board oversight 3. organizational structure 4. commitment to competence 5. accountability 6. risk management philosophy (aggressive or conservative) 7. human resources standard (Hire train, evaluate, compensate, promote) 8. risk appetite (EBOCA +HR)

The character of risks changes when viewed form an entity-wide perspective through to the division and business unit levels. Applying the framework at each level identifies unique and common risks which helps management identify appropriate responses.

Identifying and managing multiple and cross-enterprise risks

support the identification, capture, and exchange of information in a timely and useful manner.

Information and Communication systems (FACT- Fair, accurate, complete, timely)

includes key elements that relate to the identification, capture and communication of information.

Information and communication component of the ERM framework

includes key elements that relate to the ongoing management activities or separate evaluations of the ERM approach adopted by the entity.

Monitoring component of the enterprise framework

the board is independent from management and oversees the development and performance of internal control

board independence and oversight

has the power to set director compensation

board of directors

the probability that an event might occur

likelihood of an event

suggests strong controls and encourages managements attitudes to be congruent with strong financial controls

management philosophy and operating style principle

the process of assessing the quality of internal control performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions.

monitoring

review of major initiatives and budget vs. actual performance by senior executive managers.

top-level reviews