Guidance for Audit Committees: Risk management goes beyond financial reporting and should focus on business performance

Posted on September 11, 2011 by

On September 1, 2011, the European Confederation of Director’s Association published a document titled Audit Committee Guidance for European Companies.  This document provides an excellent overview of the roles and responsibilities of the audit committee, a mapping to the expectations of the EU 8th company law directive, and highlights some country specific requirements related to audit committees.  This report also highlights two important topics that should be embraced by all Boards – regardless of geography:

  1. Risk management should focus on performance as well as potential loss events
  2. The Audit Committee should focus on all enterprise risks – not just those related to financial reporting

This document dedicates an entire section related to the discussion of monitoring the effectiveness of internal control and risk management systems.  According to the report: “It is important that risk management and control are not seen as a burden on the institution, but rather the means by which opportunities are maximized and potential losses associated with unwanted events are reduced. Risks manifest themselves in a range of ways and the effect of risks crystallising may have a positive as well as negative outcome for the institution.  It is vital that those responsible for the stewardship and management of an institution be aware of the best methods for identifying and subsequently managing such risks”.

The report goes on discuss that the remit of the audit committee goes well beyond that of reviewing financial controls and risks and address those risks and controls related to operational and compliance matters.  According to the report:  “Traditionally, audit committees have been concerned with the oversight of internal financial controls.  However, the Directive is drawn much wider in that it imposes a duty on the audit committee to monitor the effectiveness of internal control and risk management systems in their entirety.  This goes beyond the financial reporting processes and encompasses the system of risk and control associated with other areas such as operational matters and compliance with laws and regulations.”

At a time when many Board Audit Committees and internal audit professionals are evaluating changes to the scope of their charter, this ecoDa document provides some solid guidance and provides a good reference point to drive process improvement discussions.

Posted in GRC, Internal Audit, Risk Management | Tagged , , | Leave a comment

THOMSON REUTERS POSITIONED IN THE LEADERS QUADRANT OF THE MAGIC QUADRANT FOR ENTERPRISE GOVERNANCE, RISK AND COMPLIANCE PLATFORMS

Posted on July 19, 2011 by

Thomson Reuters (accelus.thomsonreuters.com) has been positioned by Gartner, Inc. in its Leader’s Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant.

This Gartner Magic Quadrant for enterprise governance, risk and compliance (EGRC) platforms presents a global view of Gartner’s assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives.

Thomson Reuters was placed in the Magic Quadrant after Gartner evaluated the Thomson Reuters Enterprise GRC solution on its ability to execute and its completeness of vision. Enterprise GRC is a comprehensive audit, internal controls management, policy management and compliance software solution purpose-built to address connected governance, risk and compliance requirements.

You are invited to read the full report with complimentary access at this link.

Posted in Compliance, GRC, Internal Audit, Risk Management | Tagged , , , , | Leave a comment

Jumpstart your GRC Project – Step 5: Sharpen Your Tools

Posted on May 9, 2011 by

The next step on our journey to jumpstart a GRC project is to evaluate and refine the tools used in your assurance practice.

STEP 5:
There is a saying that you can tell a lot about a workman by looking at the tools they use. That applies to all professionals and, in particular, to GRC professionals. Here are some basic tools every GRC professional should have in their tool- kit and sharpen regularly.

REGULATORY NEWS AND ANALYSIS: Seek out and rely on expert information that includes current, new and proposed regulatory information. Look for expert opinions and analysis that can help you stay ahead of the evolving compliance landscape.

RESEARCH YOUR PEERS: Knowledge of your competitors and their practices provides insight into enforcement trends, legal precedent, and opportunities for innovation and business development.

SELF-ASSESSMENT: Vast amounts of information about risks, controls, compliance and issues can be gathered using self-assessment techniques. Self-assessment instruments range from structured workshops run by skilled facilitators to surveys that can provide new insights.

MONITORING AND SCREENING: Technology exists that can immediately detect fraudulent transactions or screen for risky vendors and employees.  Are you considering, or have you proposed, sophisticated screening and monitoring technology options to management?

REPORTING AND DISCLOSURE: Ensure that the board and your decision makers have access to real-time actionable information and that you are following all disclosure requirements to shareholders, the board and regulatory agencies.

GRC CONVERGENCE TECHNOLOGY: Technology exists and is successfully used to document, manage and report on the work and results of GRC professionals in a corporation. Have you explored this technology?

Posted in GRC | Tagged , | Leave a comment

Jumpstart Your GRC Project – Step 4: Refocus on the End Result

Posted on May 6, 2011 by

In steps 1 through 3, we evaluated the current state of GRC and promoted peer interaction, the next area of focus is determining what GRC customers really want and how end results would be measured.

STEP 4
GRC professionals often fall into the trap of defining their role by the activity performed and not by the desired outcome. Auditors define their role as doing audits. Compliance professionals define their roles in terms of policies and investigations. Financial reporting professionals focus on the work of preparing reports and disclosures.

Consider a scenario where your GRC group was outsourced. What contract provisions would be essential to measure the service provider’s performance and how would those outcomes be measured?

Survey your GRC customers to determine what outcomes they seek. Give them specific choices for the services and ask them to rank them in order of importance. Ask respondents to indicate whether they believe the answers are high, medium or low in terms of end result expectations. Prepare to be surprised.

Posted in Compliance, GRC, Internal Audit | Tagged | Leave a comment

Jumpstart Your GRC Project – Step 3: Network with Your GRC Peers

Posted on May 4, 2011 by

The third step in the series of blog posts, Jumpstart Your GRC Project, is to expand your professional circle to connect with other assurance providers.

STEP 3:
GRC professionals have an amazing propensity to seek out and associate with others in their own GRC discipline. Expand your network to include people from other GRC disciplines. Within your organization, make a point of meeting regularly and informally with your GRC colleagues in legal, compliance, audit, risk management, compliance, and financial reporting.

  • Host a regular meeting in your firm with representatives from legal, compliance, audit, risk, and financial reporting.
  • Attend a conference sponsored by another GRC profession.
  • Join an on-line discussion group outside your specialty and actively participate.
  • Subscribe to news services from outside your area of specialization.
  • Attend a local chapter meeting of another GRC profession.
  • Make a point of browsing the websites of other GRC professions at least monthly.
Posted in Compliance, GRC, Internal Audit, Risk Management | Tagged | Leave a comment

Jumpstart Your GRC Project – Step 2: Eliminate Bad Habits

Posted on May 2, 2011 by

The first post in the Jumpstart Your GRC Project series looked at creating a report card to evaluate your GRC program. This next step focuses on evaluating current processes to identify and eliminate those habits that inhibit a GRC intiative.

STEP 2
Regularly examine standard practices and procedures to ensure that you are taking the best approach to your assurance functions.

  • Challenge your preparedness for compliance audits.  Regulations are constantly changing – are you really prepared?
  • Eliminate GRC whitespace. Assurance groups operating in silos contribute to redundant processes and overlooked risks.  Effective GRC connects people, processes and information.
  • Evaluate and identify duplicated efforts.  Do not have the same control tested by multiple assurance groups – share resources.
  • Do not focus on controls, instead focus on underlying risks. The risks that controls are designed to mitigate usually remain. Become risk focused.
  • The goal of GRC is to drive principled business performance.  Do not lose site of the goal – prioritize GRC activities to drive business value.
Posted in GRC | Tagged | Leave a comment

JUMPSTART YOUR GRC PROJECT – Step 1: Prepare a GRC Report Card

Posted on April 27, 2011 by

It has become increasingly clear that Governance, Risk and Compliance (GRC) activities are by nature interconnected and rely on common information, methodology, processes and technology. Although the potential business value of end-to-end GRC may be clear, many organizations struggle with defining the scope, establishing performance targets, and jumpstarting their GRC projects. This is the first in a series of posts that will provide an outline of 10 steps to consider when evaluating the maturity of your current GRC program or a checklist to walk through as you initiate a new end-to-end GRC initiative.

STEP 1: PREPARE A GRC REPORT CARD
Prepare a governance, risk and compliance (GRC) report card for your GRC peers, management and board. Set the bar high, but do not expect straight A’s. Grade yourself on the following criteria:

Examine your regulatory intelligence. Do you have a solid understanding of your regulatory requirements and have consistent process in place to identify and assess all regulatory changes impacting your organization?

SCALE: There were over 12,500 regulatory changes made in 2010. An “A” requires a process where you receive updates and analysis on regulatory changes and have them dynamically linked to your internal policies.

Examine your GRC practices. How well do you connect regulatory changes, policies, and related controls to risk management and overall business strategy?

SCALE: Give yourself an “A” if your organization operates with a common language of policy, risk and control and if there are regularly scheduled, collaborative meetings between the audit, compliance, legal and risk departments.

Do you deliver a relevant set of programs and reports that provide the board and senior management with the business intelligence that empowers informed decision making?

SCALE: Are you certain that if you posed this question to the board they would agree? If so, give yourself an “A”.

Do you have the necessary policies in place? Have the employees in your organization received appropriate training and signed off on those policies?

SCALE: Give yourself an “A” if you are confident that a regulator could perform random testing and all employees would pass with excellent scores.

Innovation is invited, new professional practices are integrated and GRC technology has been incorporated.

SCALE: An “A” performer will be well on their way to technology-enabled GRC convergence driven by active, demanding stakeholders.

Posted in GRC | Tagged