1

Governance Model for Trusted Businesses

Linking Governance to Sustainable Value Creation

BPM GOSPEL(LLP-LDV-TOI-2010-HU-001)

This project has been funded with support from the European Commission. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any

use which may be made of the information contained therein.

2

Agenda

1. What‘s the bisuness world coming to?2. Do we need to change to the better?3. What do we have so far?4. We have already realized that we need more5. That‘s where we come in6. General information on Process Assessment7. Governance Model for Trusted Businesses8. Our vision on tomorrow‘s business world

3

1. What‘s the business world coming to?

……

Fraudulent Representation

Not limited to financial reporting

Bad Bank

Country

bankruptcy

I have lost my house and

savings and have debt

difficult to repay during

the rest of my life

I am 35 years old

4

2. Do we need to change to the better?

Yes we need!

5

3. What do we already have so far?

• Sarbanes-Oxley Act for US-SEC registrants and their affiliates globally

• Basel Framework• Company Law in the EU• European and national directives for

governmental and public sector organizations• etc.

1/2

6

3. What do we already have so far?

• Existing laws and regulations already require the implementation of internationally accepted, sophisticated risk management and internal control systems which are periodically assesed in terms of effectiveness and the results of the assesments disclosed to the stakeholders and …

to be continued on the next page

2/2

7

4. We have already realized that we need more

....financial and governmental sectors and the regulators are keen to extend and further develop the already exisiting mandatory rules and guidelines

to all governance related processes which are not yet

addressed in the existing set of regulations and thus

regain the trust from the stakeholders with trusted businesses

8

5. That‘s where we come in

Governance Model for Trusted Businesses

Linking Governance to sustainable value creation

We want to introduce a new methodolology which puts our need to change into action

9

6. General information on Process Assessmentusing the most acknoledged control frameworks

• An integral part of conducting a process assessment is to use a Process Assessment Model (PAM), related to Process Reference Model(s) (PRM) and conformant with the requirements defined in ISO/IEC 15504-2.

• ISO/IEC 15504-2 provides a framework for process assessment and sets out the minimum requirements for performing an assessment in order to ensure consistency and repeatability (objectivity) of the ratings.

• The COSO and COBIT based Process Reference Models associated with the process attributes defined in ISO/IEC 15504-2 provide a common basis for performing assessments of governance capability regarding internal controls and reporting of results by using a common rating scale. ISO/IEC 15504 offers not only a transparent method for assessing performance of relevant governance processes, but also tools for assessing control risk areas based on the gaps between target and assessed capability profiles.

1/4

10

6. General information on Process Assessmentusing the most acknoledged control frameworks

The Process Assessment Model according to ISO/IEC 15504 Process Assesment (SPICE) defines a two-dimensional model of process capability. In one dimension, the process dimension, the processes are defined and classified into process categories. In the other dimension, the capability dimension, a set of process attributes grouped into capability levels is defined. The process attributes provide the measurable characteristics of process capability.

Figure 1: Components of ISO/IEC 15504 Process Assessment

2/4

11

Figure 1: Measurement Framework of ISO/IEC 15504 Process Assessment

Within a Process Assessment Model, the measure of capability is based upon the nine process attributes (PA) defined in ISO/IEC 15504-2 which are grouped in six capability levels. Process attributes are used to determine whether a process has reached a given capability. Each attribute measures a particular aspect of the process capability. At each level there is no ordering between the process attributes; each attribute addresses a specific aspect of the capability level.

3/46. General information on Process Assessmentusing the most acknoledged control frameworks

12

• The nine process attributes are evaluated on a four point ordinal scale of achievement, as defined in ISO/IEC 15504-2. They provide insight into the specific aspects of process capability required to support process improvement and capability determination.

• The process capability assesment is based on assesment indicators. Process Attribute Indicators (PAI) apply for level 1-5, Base Practices and Work Products apply (on top) exclusively for level 1.

Figure 3: Four point ordinal scale for evaluating the achievement of process attribute

4/46. General information on Process Assessmentusing the most acknoledged control frameworks

13

7. Governance Model for Trusted BusinessesWhat is it?

• The Governance Model for Trusted Businesses (Governance SPICE) relates to the capability assessment of processes in the areas of Governance, Risk Management and Internal Control and is based on the following concepts:

· Corporate Governance Principles (OECD)· Recognized Control Frameworks (COSO & COBIT)· Risk Tolerance and Risk Appetite (as of COSO ERM)· Performance Measurement (as of COBIT)· Process Capability Assessment (ISO/IEC 15504-2:2003)· Evaluating Process-related Risk (ISO/IEC 15504-4:2004)· Organizational Maturity (ISO/IEC TR 15504-7:2008)

1/8

14

7. Governance Model for Trusted BusinessesEleven Governance Objectives as a basis for determining governance processes

• The Governance Model interprets the following eleven governance objectives for determining governance processes as special applications of the recognized reference models (COSO, COBIT and Enterprise SPICE) and trusted business principles :

• Supporting Organization’s Internal Control System

– Risk Awareness – Accountability– Competency– Accuracy– Process Integrity – Data Protection – Commitment– Control Efficiency

• Supporting Business Sustainability– Competitiveness– Exploitability– Satisfaction

2/8

15

Process Dimension

7. Governance Model for Trusted BusinessesEleven governance processes classified into two application categories

Based on the eleven relevant governance objectives the governance model determines eleven governance processes as special applications of the recognized reference models (COSO, COBIT and Enterprise SPICE) and trusted business principles.The eleven governance processes are classified into the following two Application Categories:

Governance of Controlled Business Operation Application Category• Control Risks – The organization and its staff adequately address risks to the governance objectives relevant

for financial reporting and trusted business operation and consider those risks in management of business operation.

• Control Management – The management of the organization is able to control business processes in a way

which is adequate to the objectives of internal control over financial reporting and trusted business operation.

• Control Competence – Sufficient skills and knowledge relevant for the objectives of internal control over financial reporting and trusted business operation are available and used.

• Information Reliability – Data architecture and disclosure elements relevant for financial reporting objectives and trusted business operation, and for supporting data processing integrity are accurate and consistent.

3/8

16

7. Governance Model for Trusted BusinessesEleven governance processes clasified into two application categories

• Process Control – Design and operation of process-level controls relevant to the objectives of financial reporting and trusted business operation, and processing integrity principle are effective.

• Data Protection – The organization and its staff are committed to security, confidentiality and privacy principles to avoid unauthorized access to and misuse of confidential data effected by business operation.

• Integrity Assurance – The organization and its staff are committed to comply with ethical and business integrity requirements relevant to the objectives of financial reporting and trusted business operation, and availability principle.

• Control Efficiency – Efficient usage of control resources relevant to the objectives of financial reporting and

trusted business operation.– – Ensuring user/customer satisfaction based on agreed levels of business operation.

Governance of Controlled Business Operation Application Category• Competitive Operation – Ensuring market recognition of the business operation.• Exploitable Operation – Organization realizes optimal value from business operation. • Satisfactory Operation – Ensuring user/customer satisfaction based on agreed levels of business

operation.

Process Dimension

4/8

17

7. Governance Model for Trusted BusinessesFour main objective categories mapped to capability levels

In the measurement framework of the Governance SPICE model the main objective categories of the COSO model are maped to the capability levels of ISO/IEC 15504.

Capa

bilit

y D

imen

sion

Figure 13: Mapping ISO/IEC 15504 capability levels to COSO objective categories

5/8

18

7. Governance Model for Trusted BusinessesAssessing Control Risk Areas

• Risk appetite and Risk Tollerance according to the Enterprise Risk Management concept (ERM) are decisive criteria for setting of target process capability profiles which are measured via the ratings of the process attributes.The risk appetite of an entity is a high level view of the decision making body of a company on how much risk they are willing to take.Risk Tolerance is the acceptable level of variation arround objectives and is alligned with the risk appetite.

• Only ratings of Fully achieved or Largely achieved should be set.

• Process related risk results from the existence of gaps between the target and the assesed process profiles

6/8

19

7. Governance Model for Trusted BusinessesAssessing Control Risk Areas

• The process attribute gap can be categorized into “None”, “Minor” and “Major” categories based on the distance of target and assessed ratings.

• The probability of problem occurrence is derived from the extent of process attribute gaps and from the capability level where they occur. Capability level gaps are categorized as follows:– None - No major or minor gaps– Slight - No gap at level 1, and only minor gaps at higher levels– Significant - A minor gap at level 1, or a single major gap above– Substantial - A major gap at level 1, or more than one major gap above

• The process related risk depends on both the probability of problem arising from the identified gap and the potential consequence. In general the consequences depend on the capability levels where the gaps occur.

7/8

20

7. Governance Model for Trusted BusinessesThe key benefits at a glance

• Common, integrated and most acknoledged assesment model

• Process capability determination applicable to all relevant processes

• Value adding tool for all stakeholders of a company– Desision making body of a company– Internal & External Auditors– Customers– Suppliers– Shareholders– Other stakeholders

• Improved Corporate Governance as USP

8/8

21

Our vision of tomorrow‘s business world

……

Honest Representationin all relevant activity areas

Good Bank

Trusted Businesses

I have my house some savings and will not burden the next generation with my debt

I am 35 years old

22

Annex 1: The 20 basic COSO principles

• Control Environment (CE)• 1. Integrity and Ethical Values (IEV). Sound integrity and ethical values, particularly of top• management, are developed and understood and set the standard of conduct for financial• reporting.• 2. Oversight Board (OB). The board of directors and/or audit committee understand and• exercise oversight responsibility related to financial reporting and related internal control.• 3. Management’s Philosophy and Operating Style (MPO). Management’s philosophy and• operating style support achieving effective internal control over financial reporting.• 4. Organizational Structure (OS). The entity’s organizational structure supports effective internal• control over financial reporting.• 5. Financial Reporting Competencies (FRC). The organization retains individuals competent in• financial reporting and related oversight roles.• 6. Authority and Responsibility (AR). Management and employees are assigned appropriate• levels of authority and responsibility to facilitate effective internal control over financial• reporting.• 7. Human Resources (HR). Human resource policies and practices are designed and• implemented to facilitate effective internal control over financial reporting.

23

Annex 1: The 20 basic COSO principles• Risk Assessment (RA)• 1. Financial Reporting Objectives (FRO). Management specifies financial reporting objectives• with sufficient clarity and criteria to enable the identification of risks to reliable financial• reporting.• 2. Financial Reporting Risks (FRR). The organization identifies and analyzes risks to the• achievement of financial reporting objectives as a basis for determining how the risks should• be managed.• 3. Fraud Risk (FR). The potential for material misstatement due to fraud is explicitly considered• in assessing risks to the achievement of financial reporting objectives.

• Control Activities (CA)• 1. Integration with Risk Assessment (IRA). Actions are taken to address risks to the• achievement of financial reporting objectives.• 2. Selection and Development of Control Activities (SD). Control activities are selected and• developed considering their cost and their potential effectiveness in mitigating risks to the• achievement of financial reporting objectives.• 3. Policies and Procedures (PD). Policies related to reliable financial reporting are established• and communicated throughout the organization, with corresponding procedures resulting in• management directives being carried out.• 4. Information Technology (IT). Information technology controls, where applicable, are designed• and implemented to support the achievement of financial reporting objectives.

24

Annex 1: The 20 basic COSO principles• Information and Communication (IC)• 1. Financial Reporting Information (FRI). Pertinent information is identified, captured, used at all• levels of the organization, and distributed in a form and timeframe that supports the• achievement of financial reporting objectives.• 2. Internal Control Information (ICI). Information used to execute other control components is• identified, captured, and distributed in a form and timeframe that enables personnel to carry• out their internal control responsibilities.• 3. Internal Communication (IC). Communications enable and support understanding and• execution of internal control objectives, processes, and individual responsibilities at all levels• of the organization.• 4. External Communication (EC). Matters affecting the achievement of financial reporting• objectives are communicated with outside parties.• • • • Monitoring (MO)• 1. Ongoing and Separate Evaluations (OSE). Ongoing and/or separate evaluations enable• management to determine whether internal control over financial reporting is present and• functioning.• 2. Reporting Deficiencies (RD). Internal control deficiencies are identified and communicated in• a timely manner to those parties responsible for taking corrective action, and to management• and the board as appropriate