1. Risk management should focus on performance as well as potential loss events
2. The Audit Committee should focus on all enterprise risks – not just those related to financial reporting

This document dedicates an entire section related to the discussion of monitoring the effectiveness of internal control and risk management systems.  According to the report: “It is important that risk management and control are not seen as a burden on the institution, but rather the means by which opportunities are maximized and potential losses associated with unwanted events are reduced. Risks manifest themselves in a range of ways and the effect of risks crystallising may have a positive as well as negative outcome for the institution.  It is vital that those responsible for the stewardship and management of an institution be aware of the best methods for identifying and subsequently managing such risks”.

The report goes on discuss that the remit of the audit committee goes well beyond that of reviewing financial controls and risks and address those risks and controls related to operational and compliance matters.  According to the report:  “Traditionally, audit committees have been concerned with the oversight of internal financial controls.  However, the Directive is drawn much wider in that it imposes a duty on the audit committee to monitor the effectiveness of internal control and risk management systems in their entirety.  This goes beyond the financial reporting processes and encompasses the system of risk and control associated with other areas such as operational matters and compliance with laws and regulations.”

At a time when many Board Audit Committees and internal audit professionals are evaluating changes to the scope of their charter, this ecoDa document provides some solid guidance and provides a good reference point to drive process improvement discussions.

This Gartner Magic Quadrant for enterprise governance, risk and compliance (EGRC) platforms presents a global view of Gartner’s assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives.

Thomson Reuters was placed in the Magic Quadrant after Gartner evaluated the Thomson Reuters Enterprise GRC solution on its ability to execute and its completeness of vision. Enterprise GRC is a comprehensive audit, internal controls management, policy management and compliance software solution purpose-built to address connected governance, risk and compliance requirements.

You are invited to read the full report with complimentary access at this link.

STEP 5:
There is a saying that you can tell a lot about a workman by looking at the tools they use. That applies to all professionals and, in particular, to GRC professionals. Here are some basic tools every GRC professional should have in their tool- kit and sharpen regularly.

REGULATORY NEWS AND ANALYSIS: Seek out and rely on expert information that includes current, new and proposed regulatory information. Look for expert opinions and analysis that can help you stay ahead of the evolving compliance landscape.

RESEARCH YOUR PEERS: Knowledge of your competitors and their practices provides insight into enforcement trends, legal precedent, and opportunities for innovation and business development.

SELF-ASSESSMENT: Vast amounts of information about risks, controls, compliance and issues can be gathered using self-assessment techniques. Self-assessment instruments range from structured workshops run by skilled facilitators to surveys that can provide new insights.

MONITORING AND SCREENING: Technology exists that can immediately detect fraudulent transactions or screen for risky vendors and employees.  Are you considering, or have you proposed, sophisticated screening and monitoring technology options to management?

REPORTING AND DISCLOSURE: Ensure that the board and your decision makers have access to real-time actionable information and that you are following all disclosure requirements to shareholders, the board and regulatory agencies.

GRC CONVERGENCE TECHNOLOGY: Technology exists and is successfully used to document, manage and report on the work and results of GRC professionals in a corporation. Have you explored this technology?

STEP 4
GRC professionals often fall into the trap of defining their role by the activity performed and not by the desired outcome. Auditors define their role as doing audits. Compliance professionals define their roles in terms of policies and investigations. Financial reporting professionals focus on the work of preparing reports and disclosures.

Consider a scenario where your GRC group was outsourced. What contract provisions would be essential to measure the service provider’s performance and how would those outcomes be measured?

Survey your GRC customers to determine what outcomes they seek. Give them specific choices for the services and ask them to rank them in order of importance. Ask respondents to indicate whether they believe the answers are high, medium or low in terms of end result expectations. Prepare to be surprised.

STEP 3:
GRC professionals have an amazing propensity to seek out and associate with others in their own GRC discipline. Expand your network to include people from other GRC disciplines. Within your organization, make a point of meeting regularly and informally with your GRC colleagues in legal, compliance, audit, risk management, compliance, and financial reporting.

• Host a regular meeting in your firm with representatives from legal, compliance, audit, risk, and financial reporting.
• Attend a conference sponsored by another GRC profession.
• Join an on-line discussion group outside your specialty and actively participate.
• Subscribe to news services from outside your area of specialization.
• Attend a local chapter meeting of another GRC profession.
• Make a point of browsing the websites of other GRC professions at least monthly.

STEP 2
Regularly examine standard practices and procedures to ensure that you are taking the best approach to your assurance functions.

• Challenge your preparedness for compliance audits.  Regulations are constantly changing – are you really prepared?
• Eliminate GRC whitespace. Assurance groups operating in silos contribute to redundant processes and overlooked risks.  Effective GRC connects people, processes and information.
• Evaluate and identify duplicated efforts.  Do not have the same control tested by multiple assurance groups – share resources.
• Do not focus on controls, instead focus on underlying risks. The risks that controls are designed to mitigate usually remain. Become risk focused.
• The goal of GRC is to drive principled business performance.  Do not lose site of the goal – prioritize GRC activities to drive business value.

STEP 1: PREPARE A GRC REPORT CARD
Prepare a governance, risk and compliance (GRC) report card for your GRC peers, management and board. Set the bar high, but do not expect straight A’s. Grade yourself on the following criteria:

Examine your regulatory intelligence. Do you have a solid understanding of your regulatory requirements and have consistent process in place to identify and assess all regulatory changes impacting your organization?

SCALE: There were over 12,500 regulatory changes made in 2010. An “A” requires a process where you receive updates and analysis on regulatory changes and have them dynamically linked to your internal policies.

Examine your GRC practices. How well do you connect regulatory changes, policies, and related controls to risk management and overall business strategy?

SCALE: Give yourself an “A” if your organization operates with a common language of policy, risk and control and if there are regularly scheduled, collaborative meetings between the audit, compliance, legal and risk departments.

Do you deliver a relevant set of programs and reports that provide the board and senior management with the business intelligence that empowers informed decision making?

SCALE: Are you certain that if you posed this question to the board they would agree? If so, give yourself an “A”.

Do you have the necessary policies in place? Have the employees in your organization received appropriate training and signed off on those policies?

SCALE: Give yourself an “A” if you are confident that a regulator could perform random testing and all employees would pass with excellent scores.

Innovation is invited, new professional practices are integrated and GRC technology has been incorporated.

SCALE: An “A” performer will be well on their way to technology-enabled GRC convergence driven by active, demanding stakeholders.

At a November 30 U.S. Senate judiciary hearing (Examining Enforcement of the Foreign Corrupt Practices Act) Senator Arlen Specter (D., Pa.) raised this specific argument. The senator pointed out the U.S. Department of Justice’s current practice of imposing large fines on organizations, yet noted that they do not consistently seek criminal sentences.

During this hearing, Specter related the case of the Siemens’ FCPA violation where Siemens was found guilty of significant FCPA violations that resulted in hundreds of millions in government contracts.  According to Specter, “$1.6 billion (in fines) is a lot of money, but not when you take a look at other figures involving Siemens.” 

In 2008, Siemens posted $100 billion in revenue and $8 billion in profit. “The only impact on matters of this sort is a jail sentence,” said Specter. “Fines are added to the cost of doing business … and end up being paid by shareholders. No one likes to pay fines – but it does not amount to a whole lot for what is going on here.”

The DOJ has prosecuted about 50 individuals under the FCPA since 2009. However, in most of the high profile cases related to large corporations, the only penalties have been fines. 

Do you agree with Senator Specter? Should we be seeking jail sentences for corporate compliance violations that break federal laws? Is 1.5 percent of revenue a trivial amount that is merely absorbed by shareholders?

RISK INTELLIGENT PROXY DISCLOSURES:  TRANSPARENCY INTO BOARD-LEVEL RISK OVERSIGHT
Deloitte analyzed risk disclosures in proxy statements of the 398 S&P 500 companies filing a proxy on or after February 28,2010, through July 1 2010. This report from Deloitte outlines their findings.  

A LITTLE EXTRA ON THE ROAD
Corporate accountants have long known that otherwise law-abiding people commit travel expense fraud. And while new software programs help detect fraud, businesses report that travel fraud increased in the last few years as the distressed economy put more financial pressure on both employees and employers.  Read more at the New York Times. 

UK BRIBERY ACT GUIDANCE INDUCES NO ONE
The UK is cracking down on corruption with a new anti-bribery law that will effectively flip the burden of proof from prosecutors to defendants in bribery cases. With almost a presumption of guilt, companies operating in the UK will need to be able to establish that they have taken robust measures to prevent bribery for fear of facing unlimited fines or jail time if they do not. The Bribery Act (“the Act”) paves the way for Britain to become a world leader in anti-sleaze by codifying and significantly expanding existing bribery laws throughout the UK. But with recent Ministry of Justice’s (MoJ) guidance on the Act leaving more questions than answers, businesses and legal advisers are scratching their heads as to how exactly to avoid being caught. Read more at Westlaw Business.

HOW TO ESTABLISH A PROGRESSIVE INTERNAL AUDIT PROGRAM THAT COVERS ALL THE BASES
The internal audit: It’s a necessary part of conducting business that, done right, can at once assess operations, identify areas for improvement, manage risks and help maintain compliance. Now more than ever, audit committees, chief financial officers and other stakeholders need greater assurance that internal controls and risk management procedures are effective and efficient.  Read the entire article from Crowe Horwath. 

A GUIDE TO BOARD DIVERSITY
Although women and minorities have been seeking seats on corporate boards for many years, progress toward diversity in the boardroom continues to be glacial. More than half of public companies do not have a single minority director, while almost one out of three companies lacks a female director, according to the National Association of Corporate Directors.  Read more.

Since the traditional Thanksgiving football weekend is almost upon us, I’d like to offer a suggested playbook for what I will call COSO 2.0.

GO LONG
COSO Internal Control Integrated Framework will be 20 years old in 2012, when the new version is published. But COSO 2.0 needs to be aimed at the world of 2025. COSO 1992 has been out of date for at least a decade. Yes, it has been updated with supplementary frameworks and some of those have been good. Yes, the original COSO has some fundamental truths that will remain unchanged. But they must be adapted to a world that is changing daily. We need to aim COSO 2.0 at a group of users and stakeholders in a business world and society we can only imagine today. Anything less will make COSO 2.0 irrelevant when it is published.

GO WIDE
In a recent workshop on integrated reporting at the Harvard Business School, participants made the case that today’s corporate reporting is irretrievably broken. For example, companies have one framework for reporting on internal control over financial reporting and other frameworks for reporting on non-financial data even though the most reported financial and non-financial data is intertwined. 

If COSO 2.0 is to be relevant, it must be capable of meeting the reporting reliability requirements of all aspects of corporate reporting and function well in a world of integrated reporting. The world of GRC professionals is about to get a wider playing field.

AIM HIGH
When COSO 1992 was issued it was the only game in town. It was a breakthrough. That is not true now. A number of general purpose and highly specialized frameworks exist. COSO 2.0 must either incorporate current best practice frameworks or decisively improve on them. Two notable frameworks are the OCEG Red Book Maturity model and in another area entirely, the Global Reporting Initiative (GRI) framework, and this does not even take into account numerous offerings by other groups such as ISO. COSO 2.0 must take into account the best of what exists today and borrow from it or replace it with something better. We don’t need another silo.

USE SPECIAL TEAMS
The COSO team consists primarily of auditors, accountants, academics and financial executives. Special teams are essential for winning. The COSO 2.0 team needs to add some risk specialists, (preferably quants) some operating managers, some technology experts and others from quality, environmental and sustainability movements. COSO 2.0 must be a team effort.

CONSIDER SOME LATERAL THINKING
How can we drive down the cost and bureaucracy of the control paradigm? Consider this analogy. Broken fire extinguishers don’t cause fires. Broken controls don’t cause business failure. Let’s get a better understanding of the real root causes of failure. How can we manage human performance better? By most accounts, humans are the root cause of about 50% of loss events and failures.. Let’s stop blaming broken controls and start looking at what we expect from people. What observable skills and behaviors must we expect from managers, executives and boards?

KEEP SCORE
COSO must be able to demonstrate it is reliable. How many SOX certifications were found to be flawed? A variety of stats suggest the number is at least 10-15%. That’s about the same as Russian roulette. Twice since 1992 COSO researched the rate of fraudulent financial reporting based on SEC records. That’s like coming to a conclusion on the nation’s health by counting tombstones in the nation’s cemeteries once a decade. Find a way to measure success and failure. Start by analyzing the best record we have ever had of control failures – published disclosures of past SOX deficiencies. 

Today we have far more access to information than was the case in 1992. We have real time news feeds of loss events and failures of all types, from oil spills to product recalls to compliance fines and penalties. Failures of all kinds can be tracked every day, not every decade. We need to keep score continuously. It can be done.

PLAY TO WIN
Winning the game means improving business performance. It does not mean improving control performance. COSO 2.0 needs to provide a clear understanding of how we can determine the completeness and appropriateness of business strategies and objectives and provide a basis for creating and assessing key performance indicators at the process level. If business has the right objectives, and is meeting those objectives, we should be able to come to some prima facie conclusions about how the business is managing risk and control.

Here is one performance indicator: Google the phrase “control management”. As a concept it does not seem to exist. COSO 2.0 should be the textbook of control management in the form of intelligent, cost effective, evidence based, not belief based  control design and should promote control as a manageable dimension of the business in the same way we manage human resources marketing or any other business function. Controls exist to achieve business results, not to support a control testing industry. We are in the game to win it.

NO TIME OUTS
If anything, COSO is off to a slow start. But a 2012 projected release date is ambitious. There is a huge amount of work to do and a short time to do it. Every GRC professional, certainly those who are members of the COSO organizations, will need to pitch in with ideas and comments as exposure drafts appear. The need for COSO 2.0 as I envisage it is urgent.

Oh, and by the way, try to keep it short and simple.

I’d love to hear your comments. What would you like to see in COSO 2.0?