Professional Documents
Culture Documents
Indonesian Entrepreneurs
Organization
Corporate Governance Workshop
October 2015
Key elements of Management Control
What it involves?
How do we define Corporate Governance?
Board
Oversight
Shareholders
Planning and
Compliance Management Control
Monitoring
Board of Directors
IFC Methodology
Risk Management
External Audit Internal Audit Internal Control
Management
Information and
Communication
1
Implementing an integrated framework
Management Control
How do we define Corporate Governance?
Business planning
» What are we trying to achieve and how will we achieve it?
» What resources are needed?
» How will we measure progress?
Internal control Shareholders Compliance
» What control activities can safeguard against business risk? » What functions do we have to ensure compliance with
» Do we have the right processes and information in place to external laws, regulations, internal policies and by‐laws?
monitor performance?
Board of Directors
IFC Methodology
Performance monitoring Risk management
» How is the company performing against its defined » What risks exist in the company’s business?
objectives? » What is the impact and probability of each risk?
activities? » What actions can the company take to mitigate these
» How is the company performing in its risk relatedManagement
» What are the vital changes that the company needs to make risks?
to improve performance?
» Are the company’s risk management
and control processes working Internal Audit » How can they be improved?
effectively?
Elements of Management control
» An assurance that sound internal control processes are in place and
How do we define Corporate Governance?
Internal Controls working effectively to ensure fiduciary and operational integrity and
management of the company risks
2
Other Management Control considerations
How do we define Corporate Governance?
Key‐person risk » Over reliance on one or more individuals is appropriately mitigated
Organization
structure » Structure and roles are clear, logical, and understood
Shareholders
Information flow » Communication in the organization is timely and transparent
Board of Directors
Advisory Board ‐ Sample
IT Systems » Help optimize the business and can support future growth
Reporting and » Adequate reporting and analytical skills in the organization to make use
skills
Management
of data and help support decision‐making
Management Control
Roles and responsibilities
How do we define Corporate Governance?
Board of Directors Governance,
guidance and
Audit Committee oversight
Shareholders
CEO
Ultimate ownership and
Board of Directors
responsibility
Senior Management
Assign specific internal control
policies & procedures to
functional units
3
Business Planning and Monitoring Processes
Using a structured approach
How do we define Corporate Governance? Performance Management Process
More formal process ensures Budgeting Process
strategy set and monitored
formally by board – not just Forecast Budget
one person informally setting it What is the financial impact What is our financial plan,
of our strategies? against which to manage?
Shareholders
Strategic Planning Process
Board of Directors
Mission Goals Objectives Initiatives Measures Monitor
Risk Management Process
Risks Mitigating Actions
What can go wrong? How can we prevent things
from going wrong?
How do we define Corporate Governance?
Shareholders
Risk Governance Board of Directors
Management
4
Key Components for Risk Governance
Ensures the Board is playing an active role in Risk Governance; including setting of
strategy, risk appetite, and sound oversight
Ensure there is an effective structure and framework for risk management embedded in
the company
Ensure there are effective controls and audit functions to provide assurance
Ensure there is a strong risk management culture instilled throughout the organization
Key Components of Risk Governance
Board: Risk Appetite, Strategy, & Oversight
Management: Risk Management framework
Assurance: Controls and Audit
5
3 lines of defense framework
An approach for risk governance
1st line of defence 2nd line of defence 3rd line of defence
Risk Management
Governing Body/ Boards Internal Audit
BU process and risk owners (Design, interpret, monitor
(Oversight) (Test & verify)
& report)
Reporting can only be as good
1st and 2nd line need robust risk profiles
as the underlying analysis
Oversight & Guidance Board
Risk and Audit
Escalation
Committees
Risk management
Coordination division
Ownership
Business units
Assurance Internal Audit
6
Risk Governance/Mgt Actors & Roles
» Ultimate accountability for the risk situation
» Articulation of risk appetite, communication of risk
Board strategy
» Approval and review of risk policies
Risk and Audit » Reviewing and challenging risk information
Committees » Escalating key issues to the Board
Risk management » Facilitation and co‐ordination of risk
division management activity across the bank
» Identification, assessment,
measurement, monitoring and
Business units reporting business risks
» Independent assessment of the
Internal Audit effectiveness of risk management
function
7
Sample Risk Governance Structure - FIs
Governance
Board of Directors
Corporate Risk
Audit Remuneration
Governance Management
Committee Committee
Committee Committee
Senior
Management
Asset & Liability
Credit Risk Operational
Management Risk
Committee Committee Committee Business
Units
15
Board of Directors
Management
Senior
Performance
CRO Management
Risk
Internal Management Business
Audit Team Units
16
8
Comparable Standards
Essentially identical risk management processes in the two standards
Source: Aon Risk Solutions, White Paper on Risk Management Committee, 2011
17
Risk Management Process in Simple Form
Five steps process
How do we define Corporate Governance?
1
5
Shareholders
Board of Directors
Advisory Board ‐
Risk Sample
Management
Process
2
4 Management
Monitoring
and reporting
9
Common Themes in Risk Management Frameworks
How do we define Corporate Governance?
1. Risk governance, overall environment, culture
2. Linked to the achievement of objectives/strategies
3. Identification of risks and opportunities
Shareholders
4. Assessment and prioritization of risks
5. Board of Directors
Advisory Board ‐
Risk measurement and aggregation Sample
6. Determining response
7. Monitoring and reviewing Management
8. Establishing controls
9. Communication
10. ‘The Use Test’
New approaches to Risk Management
Emerging trends
How do we define Corporate Governance?
Conventional practices Emerging trends
» Silo‐based risk management leads » Effort to aggregate existing risk
to silo‐based reporting reporting packages – comprehensive
or portfolio view of risks
Shareholders
» Board packages often contain a lot
of data, not always risk information » Non‐financial risks are added to risk
or analysis reporting
» Performance‐focused
Board of Directors
Advisory Board ‐ » Sample
More forward‐looking measures help
assess potential impact on
» Focus is on business risks organization
» Somehow difficult to drive action Management
» Increased focus on exceptions and
» Not forward‐looking trends
» Strengthened linkage between risk
reporting, performance measurement,
and strategy
» More actionable type of reporting and
analysis
10
Exercise
You’ve just been assigned as CRO of a company.
What strategies might you suggest to your board to
help embed risk management into the organization?
Board of Directors
Management
Senior
CRO Management
Risk
Internal Management Business
Audit Team Units
Management
Routine risk reports
Senior Part of routine management meetings
CRO Management Made part of managers’ scorecards/objectives
Encouraged to elevate problems; not
penalized
Risk
Internal Management Business
Audit Team Units
22
11
Strategies for Embedding Risk Management in the
Organization
Make an integral part of the strategy and oversight Encourage discussion of risk during routine
processes; not a stand-alone function management status meetings; don’t penalize
23
Considering a CRO
Main principles – depends on each company
» Independent oversight of bank‐wide risks
Primary role » Engage with the board and other senior management on key risk issues
» Key principle: Avoidance of “double‐hatting” i.e. CEO/CFO also serving as the CRO
» Prior approval from the Board for removal of a CRO, public disclosure of the same
Tenure
» Discussion of the removal of the CRO with the banking regulator/supervisor
» Compensation and other incentives should be sufficient to attract and retain qualified
Compensation
personnel
Other » CRO’s expertise should match the risk profile of the bank
12
Understanding the Board’s risk awareness
Key questions to be answered
How do we define Corporate Governance?
» Does the board ever discuss current and future risks as an agenda item?
» Is the Board aware of the appropriate risk‐reward tradeoff that the company
Board of Directors
Advisory Board ‐ Sample
is pursuing?
» What are the serious challenges the company is facing at the moment?
Qualitative risk appetite Risk tolerances
Risk limits/ thresholds
articulation
Articulation
Articulation through Risk indicators
» Series of qualitative KRIs and zero tolerance » Quantitative statements
statements outlining risk risks describing risk appetite
appetite » Serve as essential
» Risk appetite statements elements in risk control
for individual risk
13
Articulation of Risk Appetite (1/2)
Representation of risk appetite in a Bank (Illustrative)
Metric ‐ Quantitative Indicators
Earnings Volatility Not deliver profits after tax below market consensus earning forecast by
more than x%
Return on equity Target return on equity is x%
Target capital ratios Tier 1 capital should not fall below 10% of RWA and total capital ratio
should not fall below 15%
Credit rating AA is our target rating and our intention is to maintain it
Advances / Deposits Ratio to be within the limits agreed with the Board
Growth rate for each key Target growth rate of xx% for corporate, yy% for retail, zz% for
portfolio investments etc.
Target market share XX% market share for ABC segment by 20XX
Target concentration level Name concentration and sector concentration limits
Target impairment levels Max. of XX% NPLs (as percentage of total loans)
14
Risk Management vs. Internal Control
How do we define Corporate Governance?
Risk Management Internal Control
» Identify key risks to the company » Designed to ensure each key risk has a
process to help control the risks
» Measure exposures to those risks Shareholders
» Help to ensure process integrity,
» Monitor risk vulnerability and compliance and effectiveness
determine the corresponding need on
Board of Directors
Advisory Board ‐ Sample
an ongoing basis » Provide comfort that financial and
management information is reliable,
» Control or mitigate risk exposures timely and complete
Management
» Report to Senior management and the » Place reasonable checks on
Board managerial and employee discretion
30
15
Example: Linking Risk Mgt, Internal Control, and Internal
Audit
Priority
Objective Risks (Impact/Probability) Control Internal Audit
Unit: Hotels & Resorts - Financial
Management
R1.1B. Guest room Night audits are Semi-Annual: Review
1.1 Revenue - Ensure accurate collection and revenue is not performed to balance samples semi-annually to
recording of cash revenue transactions in hotel recorded and/or High cash/credit receipts with ensure all balance and
operations. collected. system balances. recorded properly.
R1.2A Staff make Signatures are required Annual: Pull sample of
purchases beyond for purchases above large purchases for proper
their authorized defined thresholds. authorizations; Interview
limits. Med Expenditure reports are Purchasing staff to ensure
1.2 Expenditures - Ensure major purchases are monitored monthly. reports are being
authorized and accounted for. monitored.
31
• Do the board and management appropriately assess risks when planning new strategies,
activities and products?
32
16
How do we define Corporate Governance?
Shareholders
Internal Control Board of Directors
Management
• What is the role of the audit committee and the board in ensuring that proper internal
controls are maintained, risks are managed and that the company is in compliance with all
relevant laws and regulations?
• Describe how the company’s internal controls (operational, financial and compliance,
including IT systems) are designed and maintained?
• Were there any significant problems in internal controls in the past 5 years? Please
describe.
• Does the board monitor that management responds to the deficiencies identified in
Management Letters?
• Are internal controls designed in accordance with a relevant framework, e.g., COSO,
COBIT, Basel?
34
17
A Sound Internal Control Framework
How do we define Corporate Governance?
» Does the company operate a system of internal control that is effective in
ensuring:
Compliance with laws and regulations
That all transactions are properly accounted for and allow for proper preparation
of financial statements Shareholders
That assets are safeguarded against improper or unauthorized use
Board of Directors
» Is the internal controlAdvisory Board ‐
framework Sample
properly embedded across the entire
organization, clearly understood and reinforced by management?
Management
» Is the control framework regularly documented and reviewed to ensure its on
going effectiveness?
COSO Framework for Internal Control
How do we define Corporate Governance?
Component COSO Definition
18
Maintaining a Sound System of Internal Control
Responsibilities
How do we define Corporate Governance?
» Set appropriate policies on internal controls
Board of » Seek regular assurance to satisfy that the system is functioning
Directors effectively
» Ensure that the system is effective in managing the risks in an
Shareholders
approved approach
Board of Directors
Advisory Board ‐ Sample
» Implement board policies on risk and control
Management
» Identify and evaluate the risk faced by the company
Management
» Should have necessary knowledge, skills, information
Employees » Should have an authority to establish, operate and monitor the system
of internal controls
Source: Financial Reporting Council‐Guidance for Directors on the Combined Code, 2005
Management Oversight & the Control Culture
How do we define Corporate Governance?
» Has the ultimate responsibility for ensuring that an adequate and effective
system of internal controls is established and maintained
» Should include in its activities the following:
Periodic discussions with management concerning the effectiveness of
Senior » Responsible for carrying out the directives of the board of directors, including
the implementation of strategies and policies and the establishment of an
Management
Management effective internal control
» Board of Directors and Senior management are responsible for promoting high
ethical and integrity standards, and for establishing a culture within the
Control Culture organization that emphasizes and demonstrates to all levels of personnel the
importance of internal controls
19
How do we define Corporate Governance?
Shareholders
Internal Audit Board of Directors
Management
OBJECTIVE: To provide the board and management with reasonable assurance that the
organization has a sound system of internal control to protect against loss
40
20
Key Questions to Ask about Internal Audit
• To whom does the Chief Internal Auditor report? How is the IA chief hired/fired and does the CIA privately meet with the
board or the audit committee?
• What is the relationship between IA, the Chair, CEO, CFO, CRO, CIO and external auditor?
• Are the IA work plans reviewed by the audit committee or the board?
• Does the board monitor management’s response to deficiencies and weaknesses identified by the IA function?
• Were there any significant problems with internal audit in the past five years? Please describe.
• What are the audit standards applied by IA, e.g., IIA Standards?
• Does the external auditor rely on the work of internal audit in conduct of the annual financial statement audit?
41
Internal Audit vs. Internal Control
Key differences
How do we define Corporate Governance?
Internal Audit Internal Control
» Reports to board, Audit committee and » The internal control environment is
is independent of business units established by Business Units to
Shareholders
manage the risks inherent within the
» Conducts reviews of the systems of
products they are delivering
internal control to offer a Board of Directors
second,
independent view on their robustness » Business Units will discuss and agree
these risks with risk management and
Management
» Provides an independent assessment
internal audit
of the adequacy and compliance with
the established internal controls » Business Units are responsible for the
effectiveness of their internal control
systems
21
Internal Audit and Audit Committee
Relationship
How do we define Corporate Governance?
Audit Committee
Enable an audit team that
Ensure the internal audit Shareholders
Ensure internal audit
is independent,
plan is sufficiently broad in reports are actionable and
empowered and
scope and executed in a that they are adequately
sufficiently staffed and
timely manner implemented
Board of Directors resourced
Management Promote an open,
Promoted effective
committee functioning and transparent relationship
staff the committee with with the audit and other
sufficient expertise control professionals
Source: Moody’s – Best Practice in Audit Committee Oversight of Internal Audit
Audit Reporting
How do we define Corporate Governance?
» All audit reports circulated to the Senior Management as well as line
management responsible for the area audited
» CIA attends all Audit committee meetings and is allowed, at all meetings, an
opportunity to meet with committee without management present
22
Internal audit and Control environment
CIA’s responsibilities
How do we define Corporate Governance?
Internal audit and Control
Accounting policies and procedures
environment
Qualifications and Skills
Professional and Personal
How do we define Corporate Governance?
‘Professional’ Skills Personal
Shareholders
» Licensed auditor » Integrity – understands duties of
loyalty and care
Holds internationally accepted
Board of Directors
relevant certification (e.g. CPA, CIA, » Communication skills
CFA, etc.)
» Honest and ethical
» Ability to lead and manage auditing Management
staff » Commitment to professional auditing
standards
» Knowledge of relevant standards and
regulations in all jurisdictions in which
the company operates
23
Thank You!
ifc.org/corporategovernance
Internal Control – Integrated Framework
Control Environment – Essential Components
How do we define Corporate Governance?
Personnel integrity and ethical values
Control
Shareholders
Dedication to staff competence and skill environment
enhancement
Information and Risk
Samplecommunication
Board of Directors
Advisory Board ‐ assessment
Participation of board members and board
committees
Management Monitoring
Control
activities
Positive influence of management’s commitment
Organizational structure that enables the
management of the company
24
Internal Control – Integrated Framework
Risk Assessment
How do we define Corporate Governance?
Steps that need to be taken by the management to assess risks:
Establishment of company’s risks to achieve its
objectives
Control
environment
Shareholders
Identification, analysis and assessment of risks to
achieve objectives Information and
Risk assessment
communication
Board of Directors
Advisory Board ‐ Sample
Assessment of risks from internal and external
sources at both the entity and the activity levels
Control
Management Monitoring
activities
Assessment of risks related to ‘change in
conditions’
Internal Control – Integrated Framework
Control Activities
How do we define Corporate Governance?
Control activities consist of the following:
Policies and procedures that ensure management
directives are carried out
Control
Shareholders environment
Control activities occur throughout the company at
all levels and functions Information and Risk
communication assessment
Board of Directors
Advisory Board ‐ Sample
Control activities include limits, approvals,
authorizations, verifications, reconciliations, reviews
of operating performance and segregation of duties Control
Management Monitoring
activities
Source: COSO Integrated Framework
25
Internal Control – Integrated Framework
Monitoring
How do we define Corporate Governance?
Monitoring consist of the following:
Internal control systems need to be monitored over
time to assess their quality and performance
Control
Shareholders environment
Internal Control – Integrated Framework
Information and Communication
How do we define Corporate Governance?
Information and communication consist of the following:
All personnel must receive a clear message from top
management to take control activities seriously
Control
Information needed by personnelShareholders
to do their job environment
26