Corporate Governance:

Beyond Compliance at a time of

Recession

Prof. Ashley G. Frank

BA(Econ)[Magna Cum Laude], MDPA (Cum Laude], MBA, MCom [Cum Laude], DCom
• Codes, guidelines and initiatives of corporate
governance introduced risk and control elements
into various functional areas
• Firms have entered recession with compliance,
legal, internal audit and enterprise risk
management functions of considerable size and
scope
• However often no singular cross-functional
definition of what “risk” or “compliance” means.
• Recession must focus concerns over increased
expenses and duplication of activities
• For Internal Auditors governance, risk and
compliance:
- risk to independence or
- lead (advice on process requirements) and
participate in the processes themselves
• ISPPIA (Standard 2110): “assess and make
recommendations for improving governance
processes”
• Status within organization determines how
auditors deploy and manage dual roles:
- primary driver or advise other functional areas
driving the process
• Clarity of objectives and goals key to governance,
risk and compliance processes
• Are solutions being sought in keeping with
organization’s goals, culture and stakeholder
expectations?
• Common definition of issue significance and
station for tracking & reporting
• Efficiencies through leveraging of common
processes and increased knowledge sharing across
functions
• Consistent view of an organization’s risk and
prioritize issues requiring management attention.
• But integrating governance, risk and compliance
may be detrimental to individual risk and control
units, thus:
Thus: integration objectives must be clear
(1)Adopt a strategic framework
(2) Ask: How does integration help achieve the
framework’s mission?
Goal: Integration of common processes and
alignment of focus
Not: Added competition/distraction from units
already exist or creation of new infrastructure.
A Strategic Framework for Corporate Governance
Top

Overall policy and

Strategic

risk appetite set by

Board and Executive
Management
Each risk and control function
continues to execute its unique
role as a part of a fully
integrated effort with a
common goal to manage the
organization's risks
Value Creation &
Preservation
Policy establishes:
- Role of each
function
Enterprise Risk Policy & -Common goal of
Appetite managing
Legal / Internal Audit / organization’s risks
Compliance / Safety / IT /
Finance -Expectation of
King III working
relationships and
knowledge sharing

Identify and leverage common
processes, technologies and
knowledge
Risk Assessment
Emerging Risk Identification
Risk/Control Monitoring (Key Risk
Indicators)
(1) Working team from functions which should
participate
- establishes common understanding of “integration”, goals
and internal vision, e.g.:
agree common risk management concept
maintain independence/objectivity of each function
rationalize and harmonize approaches
share information cross-functionally
(2) Discuss internal vision with executive
management and board (or audit committee)
present both benefits and potential pitfalls!
test against Strategic Framework
(3) Consider areas where initial opportunities for
improvement exist
Usually among processes involving communications,
knowledge-sharing, scheduling or risk assessments.
(4) Detail plans to tackle inceptive projects
Consider resourcing needs as well as mechanisms for
feedback
(5) Develop an overall risk management policy
Include legal/technical/corporate governance aspects
What is the organization’s “risk-appetite”?
(6) Establish success factors and measurement points
Ensure feedback mechanism allows lessons to be
learned
(7) Iterative process for further working group
sessions
Develop a final vision and organization specific goals.
(8) Finalize Board’s risk policy
Use working group reassessment outputs
Is the current policy still valid or does a new one have to
be developed?
(9) Gain Board’s (or audit committee) formal
approval
Internal auditors to provide assurance on both design
and implementation of audit plan.
(10) Execute!