Corporate Governance and Operations Management
The importance of internal control and expected standards of conduct are established through a tone at the top approach taken by the senior management and board of directions of an entity. The five principles related to the control environment are:
1. Commitment to ethics and integrity 2. board independence and oversight 3. organizational structure 4. commitment to competence 5. accountability (EBOCA--Ethics, board independence, organization structure, commitment to competence, and accountability)
Elements of effectiveness:
1. each component of enterprise risk management must be present and functioning. the components are the effectiveness criteria. 2. There can be no material weaknesses for enterprise risk management to be considered effective.
Many methods can be used to identify events. Workshops and brainstorming sessions might be useful in some instances. Analytics applied to data including trend analysis might also be used. Event identification techniques may include:
1. event inventories 2. internal analysis 3. escalation or threshold triggers 4. Event interdependencies 5. event categories 6. distinguishing risks and opportunities
The sarbanes- oxley act of 2002 requires that issuers must disclose whether or not the issuer has adopted a code of conduct for senior officers. If no code of conduct has been adopted, the issuer must disclose the reasons. The code of ethics contemplates standards that promote:
1. honest and ethical conduct (including handling of conflicts of interest) 2. full, fair,accurate, and timely disclosures in periodic financial reports. 3. compliance with laws, rules and regulations.
Risks are analyzed in relation to their likelihood and their severity and the anticipated risks that continue even after management has taken action. Risk assessment is supported by the following key elements:
1. inherent and residual risk 2. establishing likelihood and impact 3. data sources 4. assessment techniques
The three principles related to information and communications are:
1. obtain and use information (internal audit, audit committee, management) 2. internally communicate information 3. communicate with external parties (customers, investors)
Two principles related to monitoring activities are:
1. ongoing and/or separate evaluations (frequency of testing dictated by risk) 2. communication of deficiencies (report and correct deficiencies)
For ERM, Monitoring should be used to manage risk, 3 ways to do this are:
1. ongoing monitoring activities (dictated by risk) 2. separate evaluations 3. reporting deficiencies
Internal control is a process that is designed and implemented by an organizations management, board of directors and other employees to provide reasonable assurance that will achieve its compliance, operating, and reporting objectives. There are three categories of objectives within the framework:
1. operations objectives 2. reporting objectives 3. compliance objectives
Public companies are responsible for establishing an audit committee that is directly responsible for the appointment, compensation, and oversight of the work of the public accounting firm employed by that public company (also referred to as an issuer)--
1. the auditor reports directly to the audit committee 2. the audit committee is responsible for resolving disputes between the auditor and management
Corporate officials, typically CEO and CFO must sign certain representations regarding annual and quarterly reports, including their assertion that:
1. they have reviewed the report 2. the report does not contain untrue statements or omit material information 3. the financial statements fairly present in all material respects the financial condition and results of operations of the issuer. 4. The CEO and CFO signing the report have assumed responsibility for internal controls including assertions that internal controls have been designed to ensure that material information has been made available, internal controls have been evaluated for effectiveness as of a date within 90 days prior to the report and that their report includes their conclusions as to the effectiveness of internal controls based upon their evaluation. 5. The CEO and CFO signing the report assert that they have made the following disclosures to the issuers auditors and the audit committee: all significant deficiencies in the design or operation of internal controls which might adversely affect the financial statements and any fraud (regardless of materiality) that involves management or any other employee with significant role in internal controls. 6. the CEO and CFO signing the report must also represent whether there have been any significant changes to internal controls.
The ERM identifies numerous types of control activities that might be used to fully respond to risk. The activities include:
1. top level reviews (variance analysis) 2. direct function of activity management 3. information processing 4. physical controls 5. performance indicators ("red flags"; ratio analysis) 6. segregation of duties
Sarbanes- Oxley section 407 requires tha an issuers audit committee have at least one financial expert or disclose why that role is not filled. A financial expert qualifies through education , past experience as a public accountant, or past experience as a principal financial officer, comptroller, or principal accounting officer for an issuer. Knowledge of the financial expert should include:
1. understanding of GAAP 2. experience in the preparation or auditing of financial statements from comparable issuers 3. application of GAAP 4. experience with internal controls 5. understanding of audit committee functions.
Event identification recognizes that occurrences can come from anywhere. Events might be categorized in any number of ways to ensure comprehensive consideration of potential events:
A. External 1. economic 2. natural environment 3. political 4. social 5. technological B. Internal 1. infrastructure (ex. assets, capital, and other resources) 2. personnel 3. process 4. technology
the organization communicates with external parties regarding matters that affect the functioning of internal control
Communicate with External Parties
provides a framework that can be used to evaluate how an organization will respond to risk and how to improve the effectiveness of risk decision making enhancing risk response decisions
ERM
An internal or external occurrence that impacts strategy or the achievement of objectives. May be either positive or negative and may or may not happen. It is the uncertainty along with tis potential severity or benefit that drives the risk assessment and response process; are at the core of the risk assessment process.
Events
the benchmark for strategy setting; the theoretical balance of willingness to accept risk in order to achieve return and growth. Sometimes expressed as a risk-adjusted shareholder value-added measure. Impacts strategy, which in turn impacts resource allocation.
Risk appetite
includes key elements that relate to the policies and procedures that ensure appropriate responses to identified risks.
The control activities component of the ERM framework
includes foundational elements such as organizational structure, assignment of authority and responsibility, integrity and ethical values, risk management philosophy, commitment to competence and human resource standards and similar issues that influence the tone of the organization.
The internal environment component of the enterprise risk management (ERM) framework
A fire at one of the company's major plants reduces operating production by 20% resulting in the company's inability to meet its profitability objectives (goals) for the operating year. This is an example of
negative events
The organization obtains or generates and uses relevant, high quality information to support the functioning of internal control.
obtain and use information
relate to the effectiveness and efficiency of an entity's operations. This category includes financial and operation performance goals as well as ensuring that the assets of the organization are adequately safeguarded against potential losses
operations objectives
positive events that promote achievement of objectives are
opportunities
management establishes an organizational structure, including reporting lines, authorities, and responsibilities, that is appropriate to the organizations objectives
organizational structure
Management establishes the risk appetite of the entity with the
oversight of the board of directors
an assigned employee or manager should compare financial or operating results to predetermined standards. Any material variances should be investigated by the assigned employee.
performance indicators
assets are kept in physically secure locations. A company's legal documents including lending agreements, customer contracts, investment documents and leases should be kept in a locked fire-proof value.
physical controls
_____and _____ should mirror the actions anticipated by the risk response and should be anticipated to be effective
policies and procedures
Risk should be considered entity-wide using a ________. ultimately entities must review their total residual risk in comparison to risk tolerance. Simply put once the organization has done all it can do, is the potential return worth the risk?
portfolio perspective
The improvement in local economic conditions has resulted in more demand for the company's products and an expansion of its customer base.
positive events
a flow chart of activities used to identify potential risks
process flow analysis
ERM devotes time to event identification. Events may be positive (opportunities) or negative (risks). The early identification of events and the establishment of responses to those events reduce surprises and losses or lost opportunities
reducing operational surprises and losses
A company that has had past inventory shortages may elect to invest in inventory technology to more closely monitor inventory levels and avoid the risk of stockouts. This is an example of
reduction
management may elect to reduce or mitigate risk. A response to risk that involves diversification of product offerings, rather than elimination of product offerings
reduction
the risk to an organization that exists after management takes action to mitigate the adverse impact of the event
residual risk
The amount of risk an organization will accept in the pursuit of value maximization is defined by ______. Factors heavily into balancing strategy with return.
risk appetite
The shared beliefs and attitudes of management that impact the entire organization are defined by the
risk management philosophy
the accepted level of variation relative to the achievement of objectives; measured in the same units as those used to measure the related objectives
risk tolerances
Negative events that prevent achievement of objectives are
risks
there should be adequate segregation of the authorization, record keeping, and custodial functions to ensure that no one individual can controls a transaction from beginning to end and thereby manipulate results
segregation of duties
management can better capitalize on opportunities when they know their own entity's strengths and weaknesses and how to use them to maximize profitable opportunities
seizing opportunities
The company may take no action. Self insuring or simply tolerating the full exposure to risk. (low probability; low loss)
acceptance
XYZ company produces widgets which are currently in high demand. Instead of expanding its production capacity to accommodate higher order volumes, the company takes not action and its content with the daily production of widgets generated from its sole operating plant, this is an example of
acceptance
The degree to which individuals are given appropriate authority to hand their responsibilities and the degree to which they are held accountable influences the internal environment
accountability
suggests a strong controls and encourages management to hold individuals accountable for their internal control responsibilities
accountability principle
Objectives ultimately selected and implemented by the organization must not only support the mission, but should also
align with the entity's risk appetite.
Organizations set strategy and objectives based on their individual willingness to bear risk. The levels and types of risk, including the mechanisms used to manage risk, are important themes in ERM
aligning risk appetite and strategy
The intent of ERM is to
allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value
establishes an organization-wide tone that recognizes their authority and promotes accountability of management.
appropriate oversight provided by the board of directors
IN 2004, the COSO issued Enterprise Risk Management (ERM)- integrated framework- to
assist organizations in developing a comprehensive response to risk management
A company with an underperforming product line decides to discontinue the underperforming product line instead of taking steps to improve its performance. This is an example of
avoidance
management may elect to avoid or terminate risk. a response to risk that involves disposal of a business unit, product line or geographical segment.
avoidance
A company that produces perishable food items decides to buy insurance to cover potential losses from spoilage, this is an example of
sharing
management may reduce risk by transferring risk. Insuring against looses or entering into joint ventures to address risk.
sharing
Value is maximized when
strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives
the organization structure should
support the entity's enterprise risk management system
In establishing the likelihood and impact of events, managers should use
the same time horizon as strategic plans
consideres the risk assessment component of internal control and identifies changes in process or risk and verifies that the design of underlying controls remains effective.
change identification
managements specification of required competency levels for each job function establishes the organization-wide expectation of individual and thus corporate competence.
commitment to competence
include adherence to the laws, rules, and regulations associated with operations, including tax and financial reporting compliance, workplace safety, environmental regulations, and other laws.
compliance objectives
the policies and procedures used to effect managements response to risk
control activities
includes the processes, structures, and standards that provide the foundation for an entity to establish a system of internal control.
control environment
IF a director is presented with a business opportunity that is of interest to his corporation, generally the duty of loyalty prohibits the director from taking the opportunity for himself. He must present the opportunity to the corporation and can take the opportunity for himself only if the corporation decides not to take it
corporate opportunity doctrine
generally drawn from past experience with similar events. May include relevant economic data trends, historical industry information, or past company (data) experience.
data sources
review of performance reports and reconciliations by operating managers to ensure the transactions and other operations are executed as prescribed
direct function or activity management
a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite , to provide reasonable assurance regarding the achievement of entity objectives.
enterprise risk management
comparison of activity to predefined criteria may trigger identification of events (variances from standards)
escalation of threshold triggers
Changes in interest rates might impact exchange rates, which could change supplier costs or foreign demand. this is an example of
event interdependencies
lists of potential events common to companies in a particular industry
event inventory
The underlying premise of ERM is that
every entity exists to provide value for stakeholders that all entities face uncertainty (risk), and that management must determine how much uncertainty to accept as it strives to grow stakeholder value.
Gathering management together to discuss or even brainstorm ideas in a structured manner
facilitated workshop
Suggests stronger controls and encourages the company to retain qualified personnel to handle financial reporting
financial reporting competence (commitment to competence)
The commitment to hiring the most qualified people will influence the internal environment. Minimum educational and work experience requirements, background checks, and the like demonstrate human resource commitment and facilitate individual and corporate accountability for new employee hires
human resources standards
the consequence of its occurrence Alternatively referred to as severity or seriousness
impact of an event
management can maximize the efficiency and effectiveness of capital investments, when it has identified the maximum level of risk for a given capital investment
improving deployment of capital
use of common information processing controls such as edit checks, batch totals, etc.
information processing
the risk to an organization that exists if management takes no action to change the likelihood or impact of an adverse event
inherent risk
suggests stronger controls with high standards of ethical conduct for top management
integrity and ethical values principle
analysis performed by internal staff as part of business planning
internal analysis
the organization internally communicates information necessary to support the functioning of internal controls, including relevant objectives and responsibilities
internally communicate information
The COSO identifies four stages of the change continuum:
1. control baseline 2. change identification 3. change management 4. control validation/update
Managements response to risk must allign with the organizations overall risk appetite. Risk response is supported by the following key elements:
1. Evaluating possible responses 2. selected responses 3. portfolio view
Events, both negative (risks) and positive (opportunities) should be identified. Event identification is supported by the following key elements:
1. Events 2. Influencing Factors 3. Event Identification Techniques
Audit committees must establish procedures to accept reports of complaints regarding audit, accounting or internal control issues. Procedures must:
1. accommodate confidential, anonymous reports by employees of the issuer 2. accomodate receipt and retention of complaints as well as a method to address those complaints
As part of their fiduciary responsibilities, directors owe their corporation a duty of loyalty and must act in the best interests of their corporation. The duty of loyalty prohibits directors from competing with the corporation but does not necessarily prohibit directors from transacting business with the corporation. An action in which a director has a conflict of interest will be upheld only if:
1. after full disclosure, the transaction is approved by a disinterested majority of the board of directors or the shareholders; or 2. the transaction was fair and reasonable to the corporation
The ERM framework encompasses the following themes:
1. aligning risk appetite and strategy 2. enhancing risk response decisions 3. reducing operations surprises and losses 4. identifying and managing multiple and cross-enterprise risks 5. seizing opportunities 6. improving deployment of capital
Audit committee members are to be members of the issuer's Board of Directors but also must be otherwise independent. Independence criteria are as follows:
1. audit committee members may not accept compensation from the issuer for consulting or advisory services. 2. Audit committee members may not be an affiliate person of the issuer (affiliation means a person has the ability to influence financial decisions)
Management will generally response to risk in one of four ways:
1. avoidance 2. reduction 3. sharing 4. acceptance
The internal environment component of ERM is similar to the control environment of the internal control framework and defines the tone of the organization. The internal environment component is supported by eight key elements:
1. commitment to ethical values and integrity 2. Board oversight 3. organizational structure 4. commitment to competence 5. accountability 6. risk management philosophy (aggressive or conservative) 7. human resources standard (Hire train, evaluate, compensate, promote) 8. risk appetite (EBOCA +HR)
The character of risks changes when viewed form an entity-wide perspective through to the division and business unit levels. Applying the framework at each level identifies unique and common risks which helps management identify appropriate responses.
Identifying and managing multiple and cross-enterprise risks
support the identification, capture, and exchange of information in a timely and useful manner.
Information and Communication systems (FACT- Fair, accurate, complete, timely)
includes key elements that relate to the identification, capture and communication of information.
Information and communication component of the ERM framework
includes key elements that relate to the ongoing management activities or separate evaluations of the ERM approach adopted by the entity.
Monitoring component of the enterprise framework
the board is independent from management and oversees the development and performance of internal control
board independence and oversight
has the power to set director compensation
board of directors
the probability that an event might occur
likelihood of an event
suggests strong controls and encourages managements attitudes to be congruent with strong financial controls
management philosophy and operating style principle
the process of assessing the quality of internal control performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions.
monitoring
review of major initiatives and budget vs. actual performance by senior executive managers.
top-level reviews