Risk Oversight: What boards need going forward

Similar documents
Five Lines of Assurance: A New Paradigm in Internal Audit & ERM

Board Driven/Objective Centric Internal Audit & ERM: Next Generation Assurance

BOARD OVERSIGHT OF MANAGEMENT S RISK APPETITE & TOLERANCE: THE NEW GLOBAL IMPERATIVE

The Road to IFRS. Does the SEC s roadmap mean that U.S. companies may soon report under International Financial Reporting Standards?

CHARTER OF THE FINANCE COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION

Audit Quality and Investor Protection: The Need for Ongoing Vigilance

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Why your board should take a fresh look at risk oversight: a practical guide for getting started

University Risk Management Policy

How Internal Audit Can Help Promote Effective ERM

October 12, Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14 th Floor New York, NY USA

PCAOB Update. Maryland Association of CPAs 2014 Accounting Education Conference

PCAOB Update. Maryland Association of CPAs 2014 Accounting Education Conference

Compliance & Ethics. Professional

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Own Risk and Solvency Assessment

British Columbia Lottery Corporation Board Manual Tab 8 TERMS OF REFERENCE: AUDIT COMMITTEE

Applying COSO s Enterprise Risk Management Integrated Framework

ERM Mini-Seminar. James Lam President, James Lam & Associates. Sponsored by Society of Actuaries December 9, Filename

South State Corporation Audit Committee Charter

Lessons Learned from the Financial Crisis: Recent Developments in Insurance Regulation

AUDIT COMMITTEE CHARTER

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Headline Verdana Bold Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November - 1 December 2016

Solvency and Financial Condition Report 20I6

Regulatory Vision for the Exempt Market Speech by Howard Wetston Chair, Ontario Securities Commission 2013 EMDA Exempt Market Conference May 2, 2013

Capital Requirements Directive Pillar 3 Disclosure. June 2017

RISK COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER. ~ ~ Supervising the Management of Risk of the Bank ~ ~

2006 NON PROFIT MANAGEMENT CENTER. August 2006

Bournemouth Primary MAT Risk Management Policy

ERM/ORSA Training Thai General Insurance Association (TGIA)

EVINE LIVE INC. AUDIT COMMITTEE CHARTER

Risk Management Policy and Procedures.

M_o_R (2011) Foundation EN exam prep questions

GROUP RISK COMMITTEE MANDATE

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Article from: Risks & Rewards. August 2014 Issue 64

PRESENTATION TO CLASS 2 CREDIT UNIONS, BY DIRECTORS GLOBAL & BY BPS RESOLVER

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Sarbanes-Oxley Update: Impact on Public Companies, Management, and Audit Committees. W. Lynn Loden Deloitte & Touche LLP

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Risk Committee Charter. Bank of Queensland

AIA Group Limited. Terms of Reference for the Board Risk Committee

Aligning Marketing and Finance with Generally Accepted Standards for Valuing Brands: Opportunities and Obstacles

Statement of Management s Responsibility for Financial Information

Delivering Clarity to Credit Unions Through Expertise and Experience

NACD Public Company Governance Survey SELECTED MATERIALS

Risk committee. 1. Role. 2. Responsibilities. Terms of reference. Risk strategy. Culture and behaviour

TERMS OF REFERENCE OF THE BOARD RISK COMMITTEE OF THE BOARD OF DIRECTORS

RISK MANAGEMENT POLICY

Impact on Actuarially Determined Items SEAC Fall Meeting - Atlanta, GA November 19, 2003

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Cover title 26/29 Risk appetite gains momentum 45 light white in a changing world

Perpetual s Risk Management Framework

XCEL ENERGY INC. Audit Committee Charter (Amended and restated effective January 2, 2018)

Compensation Practices and Policies How Do They Impact Risk?

CAPITAL ONE FINANCIAL CORPORATION CHARTER OF THE RISK COMMITTEE OF THE BOARD OF DIRECTORS

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Supporting good governance

SEC Reporting Update trends in SEC comment letters. What you need to know. Overview

The OCEG Open Risk Classification using XBRL

Risk Review Committee Charter

ANSYS, INC. COMPENSATION COMMITTEE CHARTER

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

Financial Literacy Quiz

Home Capital Group Inc. Home Trust Company Home Bank Risk and Capital Committee Charter

FANNIE MAE CORPORATE GOVERNANCE GUIDELINES

Current Topics in Valuation. Market volatility, trading suspensions and liquidity

NDI. NDI Executive Exchange. Boardroom Risk Assessments Roundtable Thursday, January 13, :00 a.m. 10:30 a.m. National

GENESCO INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

PDC ENERGY, INC. AUDIT COMMITTEE CHARTER. Amended and Restated September 18, 2015

Annual Report. Institute of Internal Auditors of Saskatchewan

SEI Investments (Europe) Limited Pillar 3 Disclosure

Update on Auditing and Assurance Standards

Enterprise Risk Management Program

Enterprise risk management: How are companies gaining value from their ERM strategies?

WellCare Health Plans, Inc. Audit, Finance and Regulatory Compliance Committee Charter

Intact Financial Corporation And its Canadian P&C Insurance Companies (jointly called the Company ) Mandate of the Risk Management Committee

STANDING ADVISORY GROUP MEETING AUDITING FINANCIAL STATEMENT DISCLOSURES MARCH 24, 2011

CHARTER OF THE RISK AND COMPLIANCE JOINT COMMITTEE OF THE BOARDS OF DIRECTORS OF FIFTH THIRD BANCORP AND FIFTH THIRD BANK

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF MGM GROWTH PROPERTIES LLC OVERALL MISSION

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

The Impact of Technology on Nonprofit Governance (and its Regulation)

P a g e 1 FINANCE SECTOR CODE OF CORPORATE GOVERNANCE

ENTERPRISE RISK MANAGEMENT Framework

6. Chapter 1 Question TF #6 A firm makes investments to obtain productive capacity to carry out its business activities.

SUGGESTED ADDITIONAL VOLUNTARY DISCLOSURE TO PROVIDE GREATER INSIGHT INTO ADOPTED PRACTICES

Enterprise Risk Management (ERM)

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

2018 THE STATE OF RISK OVERSIGHT

COMMUNICATION TO THE COMMISSION MISSION CHARTER OF THE INTERNAL AUDIT SERVICE OF THE EUROPEAN COMMISSION

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER

Pillar III Disclosure Report 2017

STANDING ADVISORY GROUP MEETING

Advanced analytics and the future: Insurers boldly explore new frontiers. 2017/2018 P&C Insurance Advanced Analytics Survey Results Summary (Canada)

GENESIS ENERGY, LLC BOARD OF DIRECTORS AUDIT COMMITTEE CHARTER

RISK OVERSIGHT COMMITTEE CHARTER

The control concept in IFRS things investment managers need to know

RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Transcription:

Risk Oversight: What boards need going forward March 20, 2014 Conference Board Europe Tim Leech FCPA CIA CRMA CFE Risk Oversight Inc. Canada Parveen Gupta LLB MBA PhD Lehigh University U.S.

Your Presenters Tim Leech FCPA CIA CRMA CFE tim.leech@riskoversight.ca Parveen Gupta L.L.B. MBA PhD ppg0@lehigh.edu 2

About Your Presenter Tim J. Leech, FCPA FCA CIA CRMA CFE is Managing Director Global Services at Risk Oversight Inc. ( RO ) He has over 30 years of experience in the ERM, internal audit, IT, and forensic accounting fields. His experience base includes setting up a new business unit for Coopers & Lybrand, Control & Risk Management Services, in 1987; founding, building, and successfully selling CARD decisions, a global risk and assurance consulting and software firm, to Paisley/Thomson Reuters from 1991 to 2004; serving as Paisley s Chief Methodology Officer from 2004-2007; and 25+ years of global experience helping clients with internal audit transformation initiatives and the design, implementation, and maintenance of integrated GRC/ERM/IA methodology and technology frameworks. He developed and successfully released CARD map, the world s first integrated risk and assurance software, in 1997. The web-enabled cloud version of CARD map was released in 2000. He was the first to develop and deliver training on IIA IPPF Standard 2120 training to equip internal auditors to assess and report on the effectiveness of risk management processes. He is the author of the Conference Board Director Notes December 2012 publication Board Oversight of Management s Risk Appetite and Tolerance and the highly acclaimed January 2014 Risk Oversight: Evolving Expectations for Boards. Leech was a pioneer in the global control and risk self-assessment movement in the 1990s. He s now considered to be an honorary grandfather of that movement. In 2013 he launched a second generation of disruptive innovation with a radical new approach to risk and assurance management board-driven/objective-centric risk governance to support the rapid escalation in board risk oversight expectations. He is currently actively looking for consulting firms and software vendors interested in licensing his materials and helping companies and their boards meet increasingly codified and escalating board risk oversight expectations. 3

About Your Presenter Parveen P. Gupta L.L.B MBA PhD is the chair and professor of accounting at the College of Business and Economics at Lehigh University in Bethlehem, Pennsylvania. He is a recognized expert in Sarbanes-Oxley, internal control, risk management, financial reporting quality and corporate governance. He has published numerous research papers and monographs in these areas. He is the recipient of many awards in teaching and research. During 2006-2007, he served as an Academic Accounting Fellow in the SEC Division of Corporation Finance where he worked closely with the Division s Chief Accountant and participated actively on Sarbanes-Oxley related projects involving issuing Commission s Guidance on Management s Report on Internal Control under Sarbanes-Oxley Act Section 404 and Public Company Accounting Standard Board s (PCAOB) Auditing Standard No. 5 on Auditing Internal Control. He and his team members were recognized for their work in this area with the Law and Policy award. His advisory experience is in the related areas and includes working with U.S.-based manufacturing, financial services, energy industry clients and Big Four public accounting firms. He is a frequent speaker at academic and professional conferences both at a national and international level. He is often quoted in media. 4

Agenda Codification of board risk oversight expectations Barriers to effective board oversight of risk Board-driven/Objective-centric ( BD/OC ) risk and assurance governance The way forward Questions 5

Codification of Board Risk Oversight Expectations 6

Codification of Board Risk Oversight Expectations 7

Codification Board Risk Oversight Expectations 8

Codification of Board Risk Oversight Expectations 9

Codification of Board Risk Oversight Expectations NACD Board Risk Oversight Criteria While risk oversight objectives may vary from company to company, every board should be certain that: the risk appetite implicit in the company s business model, strategy, and execution is appropriate. the expected risks are commensurate with the expected rewards. management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company s business model and strategy. 10

Codification of Board Risk Oversight Expectations While risk oversight objectives may vary from company to company, every board should be certain that: the risk management system informs the board of the major risks facing the company. an appropriate culture of risk-awareness exists throughout the organization. there is recognition that management of risk is essential to the successful execution of the company s strategy. Source: National Association of Corporate Directors, REPORT OF THE NACD BLUE RIBBON COMMISSION, RISK GOVERNANCE: BALANCING RISK AND REWARD, October 2009 11

Codification of Board Risk Oversight Expectations 12

Codification of Board Risk Oversight Expectations IIA s IPPF Risk Management Standard 2120 effective 2010 states internal auditors must evaluate the effectiveness and contribute to the improvement of risk management processes. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/standards-items/?i=8269 13

Codification of Board Risk Oversight Expectations Per IIA IPPF 2120: Determining whether risk management processes are effective is a judgment resulting from the internal auditor s assessment that: Organizational objectives support and align with the organization s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align with the organization s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/standards-items/?i=8269 14

Codification of Board Risk Oversight Expectations CSA Expectations: Canadian Public Companies Material risks are required to be disclosed in regulatory filings such as an AIF or a prospectus. The way in which an issuer manages those risks may vary between industries and even between issuers within an industry according to their particular circumstances. It is important for investors to understand how issuers manage those risks. Disclosure regarding oversight and management of risks should indicate: the board s responsibility for oversight and management of risks, and any board and management-level committee to which responsibility for oversight and management of risks has been delegated. The disclosure should provide insight into: the development and periodic review of the issuer s risk profile the integration of risk oversight and management into the issuer s strategic plan the identification of significant elements of risk management, including policies and procedures to manage risk, and the board s assessment of the effectiveness of risk management policies and procedures, where applicable. Source: CSA STAFF NOTICE 58-306 2010 CORPORATE GOVERNANCE DISCLOSURE COMPLIANCE REVIEW December 2, 2010, page24 http://bit.ly/ezvf3o 15

Codification of Board Risk Oversight Expectations In the U.S. it isn t very clear yet what the SEC wants/requires. It s subject to best guess interpretation. Some best guesses from informed sources: Deloitte did research in 2010, 2011 and 2013 and has published some criteria for risk oversight proxy disclosures Risk Intelligent Proxy Disclosures 2013. (http://bit.ly/1fljven) PwC has published a useful risk governance disclosure guide focused on risk management and oversight principles being promoted by the Financial Stability Board. (http://pwc.to/1ixmfvv) 16

Codification of Board Risk Oversight Expectations FROM THE SEC February 20, 2013: Item 407(h) also requires companies to describe the role of the board of directors in the oversight of risk. Recently, the U.S. Government Accountability Office found that economic output losses from the 2007-2009 financial crisis could exceed $13 trillion. 16 Given the magnitude of that crisis, which continues to be felt, it would be difficult to overemphasize the importance that investors place on questions of risk management. Has the board set limits on the amounts and types of risk that the company may incur? How often does the board review the company s risk management policies? Do risk managers have direct access to the board? What specific skills or experience in managing risk do board members have? Issuers that offer boilerplate in lieu of a thoughtful analysis of questions such as these have not fully complied with our proxy rules and are missing an important opportunity to engage Source: SEC Commissioner Speech Louis Aguilar, February 20, 2013 http://www.sec.gov/news/speech/2013/spch022013laa.htm 17

Codification of Board Risk Oversight Expectations Financial Stability Board November 2013: 18

Codification of Board Risk Oversight Expectations Board responsibilities per FRC UK Nov 2013 proposal Boards are responsible for: determining the extent to which the company is willing to take on risk (its risk appetite ); ensuring that an appropriate risk culture has been instilled throughout the organization; identifying and evaluating the principal risks to the company s business model and the achievement of its strategic objectives, including risks that could threaten its solvency or liquidity; agreeing how these risks should be controlled, managed, or mitigated; 19

Codification of Board Risk Oversight Expectations Board responsibilities per FRC UK Nov 2013 proposal Boards are responsible for (cont): ensuring an appropriate risk management and internal control system is in place, including a reward system; reviewing the risk management and internal control systems and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary; and taking responsibility for external communication on risk management and internal control. (Source: https://frc.org.uk/our-work/publications/frc-board/consultation-paper- Risk-Management,-Internal-Contr.aspx) 20

Barriers to Effective Board Oversight of Risk 21

Barriers to effective board oversight of risk Board Risk Oversight Handicap #1 22

Barriers to effective board oversight of risk Board Risk Oversight Handicap #2 Lack of consensus what it means 23

Barriers to effective board oversight of risk Board Risk Oversight Handicap #3 Traditional ERM not delivering what boards need 24

Barriers to effective board oversight of risk Board Risk Oversight Handicap #4 25

Barriers to effective board oversight of risk Board Risk Oversight Handicap #5 Lack of agreement on what is effective risk oversight 26

Barriers to effective board oversight of risk Board Risk Oversight Handicap #6 Litigation risk: Damned if we do/damned if we don t 27

Barriers to effective board oversight of risk Board Risk Oversight Handicap #7 Boards have not asked/demanded what they need 28

Board Driven/Objective Centric Risk Governance 29

Board Driven/Objective Centric Risk Governance Transform risk and assurance functions from supply driven to board/demand driven. The end game is to seek conscious consensus agreement on acceptability of the company s retained/residual risk status up to and including the board Clarify accountabilities - Clearly defined risk management and risk oversight accountabilities up to and including the Board. The Board demands reliable information on significant retained/residual risk status linked to important value creation and potential value erosion objectives from the CEO and management, and assurance on reliability of that report from IA and ERM staff groups Focus on end-result objectives and creating a clear picture of the current residual risk status linked to those objectives for decision makers. 30

Board Driven/Objective Centric Risk Governance Change internal audit s mandate and reporting. Internal audit s primary mandate is to ensure senior management and the board are aware of the current residual risk status linked to key value creation and potential value erosion objectives. Change the mandate of ERM functions. ERM functions should be tasked with creating and maintaining reliable processes capable of providing materially reliable status reports on the current state of retained/residual risk linked to key value creation and potentially value erosion objectives. Demand better information on risks posed by reward systems. Misaligned reward systems have been at the root of many of the biggest governance failures in history. 31

Board Driven/Objective Centric Risk Governance Recognize the need for training. Current approaches to ERM, internal audit, compliance, safety, environment don t provide the information necessary for boards to discharge their responsibility to oversee management s risk appetite and tolerance. Training and new information systems are required. Recognize and accept that better documented risk management is a two-edged sword. Most companies in the world today break at least some laws, sometimes a little and sometimes a lot. Some manage earnings. Sometimes a little, and sometimes a lot. Others sacrifice safety and the environment for profits. Sometimes plausible deniability is the best defence boards can present. Delaware Courts in the U.S. are still fairly receptive to the I didn t know defence. 32

Implementing Board Driven/Objective Centric Risk Governance: RiskStatusline Assessment Method 33

Implementing Board Driven/Objective Centric Risk Governance: Assigning Composite Residual Risk Ratings 34

Implementing Board Driven/Objective Centric Risk Governance: Deciding on Risk Assessment Rigour ( RAR ) 35

The way forward 36

Thank you/questions??? Tim Leech tim.leech@riskoversight.ca Parveen Gupta ppg0@lehigh.edu 37

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback