My Governance, Risk, and Assurance Wish List for 2012
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
Many if not most of the items on my wish list are aspirational at best. They cover multiple areas, all coming together around my general theme of better run organizations. They include aspects of governance, risk management, internal audit, information, and performance management.
I welcome your thoughts on these — which do you agree with, which do you dislike, and overall how crazy am I?
1. A globally-accepted organizational governance code, encompassing both risk management and internal control — although more detailed codes are required for both (see below). We may also need variations for different types of entities: public for-profits, not-for-profits, private companies, governments, etc. When I say "globally-accepted," I mean accepted by the regulators around the world and mandated by them.
2. The convergence of the COSO ERM Framework and the global ISO 31000:2009 risk management standard. The overall product (including related guidance) has to:
a. Be simple and easy to understand and use
b. Provide guidance for the initial implementation of risk management
c. Establish a vision for mature risk management
d. Help you progress from initial to mature risk management maturity
e. Support an evaluation of the effectiveness of risk management
f. Guide the embedding of risk management into daily business processes and decision-making, instead of being a separate process (or more realistically set of processes)
g. Emphasize the importance of the organizational culture and attitude towards risk and performance (must be both), and provide guidance on how to measure and them improve the culture as needed
h. Explain the relationship between risk management and strategy-setting processes
i. Explain the relationship between risk management and performance management, including the ability to show risk-adjusted performance measures, forecasts, etc.
j. Guide the oversight of risk management by the governing body (usually the board of directors)
k. Explain the relationship between the global governance framework (above) and an internal controls framework (see below)
l. Address the management of uncertainty with respect to opportunities — the upside of risk
m. Address the need for the evaluation of risk to take into account the opportunity for reward. Many if not most decisions are not one-sided: the alternatives offer both upside and downside potential at the same time. For example, (adverse) risks related to a new product need to be considered together with the potential for revenue and profit. Both negative and positive effects have likelihood and impact. The guidance needs to explain how to consider the total picture, not just the downside
n. Discuss how different risk processes around the organization are brought together in an enterprise-wide program. Discuss the need for specialized processes for certain risk areas, such as commodity price and currency fluctuation risk, IT vulnerability, etc, where not only specialized knowledge may be required but sophisticated models as well. Explain how to integrate risk assessment and evaluation when some risk areas are measured using likelihood and others using frequency.
o. Be accepted globally by all interested parties: enterprise risk management practitioners, insurance and safety managers, auditors and assurance professionals, governance experts and board members, operational managers, etc.
3. An update of the COSO Internal Control Framework that recognizes that internal controls are the organization’s response to uncertainty (i.e., risk), and you need the controls to ensure the likelihood and effects of uncertainty are within organizational tolerances.
4. Agreement (maybe as part of #2) on the meaning of ‘risk appetite’, ‘risk tolerance’, ‘risk attitude’, ‘risk criteria’, and related terms. All of this as part of guidance that explains how you can set guidance on risk-taking that works not only for (a) the board and top management (who want to set overall limits), but also for (b) the people on the front lines who are the ones actually making decisions, accepting risks, and taking actions to manage the risks. The guidance also has to explain the need to measure and report on whether the actions taken on the front lines aggregate to levels within organizational tolerances.
5. A change to the opinion provided by the external auditors, from one focusing on compliance with GAAP to one focusing on whether the financial reports filed with the regulators provide a true and fair view of the results of operations, the condition of the organization, and the outlook for the future. Note that I don’t expect the auditors to have an opinion on the outlook, only that management has followed a reasonable process, including the identification and evaluation of risks.
6. The inclusion in the reports filed with the regulators of:
a. An opinion by management on the effectiveness of the enterprise-wide risk management program. This could be based on the assessment of the internal audit function.
b. An opinion by the board that the compensation consultants (and other experts whose guidance was relied on during the year) are independent and free of inappropriate influence by management.
c. An assessment by the chair of the board, on behalf of the full board, of the effectiveness of organizational governance based on the governance code. A periodic independent assessment should be made (either by a third party or by the internal audit function).
7. A change in attitude of investor groups, focusing on longer-term value instead of short-term results. In particular, they should be more active when it comes to director and executive compensation.
8. The investors being required to approve, at the annual general meeting, the director and executive compensation programs for the next year.
9. The SEC withdrawing the proposal to mandate auditor rotation. If the audit committee is effective, this is not required. I believe it will result in an adverse change to the quality of the external audit and the cost to the organization.
10. Changes in the IIA’s standards for the professional practice of internal auditing, including:
a. A move to a principles-based set of standards, mandating that audit engagements should be prioritized based on the risk to the organization and the value provided by an internal audit project. The mandate to perform audits of specific areas (such as the code of ethics and IT governance) must be removed, replaced by guidance that these areas be given strong consideration in developing the audit plan
b. The clarification that assurance is only effectively provided when there is a formal assessment and opinion provided to the stakeholders. The chief internal auditor (CAE) should provide a formal assessment of governance, risk management, and related internal control processes to the board and top management at least once a year
c. Consideration of the need to provide timely assurance. The business can no longer afford to wait weeks or months to obtain internal audit’s assessment
d. The need to have a more continuous audit risk assessment and planning process than annual. Internal audit should have a program where it is addressing the risk areas of today and the future, not what used to be a risk area
11. An improved understanding by the board and top management of the value of internal audit as a provider of assurance relative to governance, risk management, and related internal control processes. Internal audit should not have to step in and perform management functions (such as the identification of duplicate payments or invalid transactions, the audit of contractors, or fraud detection and investigation) to prove its value.
12. Finally, while I would like to see the term "GRC" disappear, I am going to be somewhat realistic and only wish for a shared understanding of what it means — and that meaning is the one used by OCEG, summarized as "establishing and reliably achieving objectives, considering risk, and remaining in compliance."
Do you like these 12? Which do you disagree with, or would modify?
What are your top wishes for 2012 (and beyond)?
Posted on Dec 20, 2011 by Norman Marks
Share This Article: