philip a f marshall c.a. f.c.a july 14 th 2011 establishing the governance strategy of the audit...

PHILIP A F MARSHALL C.A. F.C.A July 14th 2011

Establishing the Governance Strategy

of the Audit Committee

Identifying the performance drivers within the organisation’s intangible assets – Human Capital, Information Capital and Organisation Capital - to optimise the contribution of the role of the Audit Committee to the financial governance of the enterprise.

2

NO TOPIC

I Developing the strategic direction of the organisation 4

II Strategic Control Assurance Plan 10

III Business Process Management Best Practices 17

IV Culture and Context – Organisational Capital 27

THE AUDIT COMMITTEE’S GOVERNANCE STRATEGY MAP

3

Developing the strategic direction of the organisation and establishing its long

term goals and objectives. The governance role of the Board and

Audit Committee

4

Strategic Thinking Role of the Board Role Of Management

Collecting, analyzing, and discussing

information about the environment of the

organisation, the nature of competition, and

broad strategy design alternatives – different

views of customer value proposition, scope,

competitive advantage, and source of profit.

• Be an active participant in the strategic thinking process.• Bring an outside perspective• Test the consistency of management’s thinking.• Collaborate with management.

• Initiate the process of strategic thinking.• Set the agenda- pose the questions and issues.• Provide meaningful information.• Actively participate with the Board in the discussions.• Summarize the output of Board and management working together.

Strategic Decision-making Role of the Board Role Of Management

Making the fundamental set of decisions about

the business portfolio and business strategy

design.

• Provide input for management’s

decision making.

• Provide ultimate review and approval

on major decisions (resource

allocation, initiatives, portfolio changes)

• Make critical decisions• Develop proposals to the Board for critical directional decisions and major resource allocation.• Engage with the Board in its review of decisions.

ROLE OF THE BOARD/MANAGEMENT - REVIEW AND APPROVAL PROCESS - STRATEGIC DECISION-MAKING

Strategic Planning Role of the Board Role Of Management

Translating the critical strategic decisions into a

set of priorities, objectives, and resource

allocation actions to execute the strategy.

• Review core strategic plans presented

by management.

• Ensure understanding of the plans and

their potential risks & consequences.

• Comment and make suggestions on

plans, as appropriate.

• Approve plans.

• Develop plans, working with staff support and

operating management.

• Review plans to ensure consistency with

corporate objectives and the enterprise-wide

risk management process

• Present plans to the Board for review.

Copyright : Mercer Delta Consulting

: pafm: Adapted from Balanced Scorecard Collaborative Inc. P.MARSHALL Adapted from Balanced Scorecard Collaborative Inc.

STRATEGY MAPS – LEARNING & GROWTH PERSPECTIVEHow do we create

valuefrom intangible assets?

Learning & Growth Perspective

Process Perspective

Maximize the long termtotal return to shareholders

Expand RevenueSources

EnhanceCustomer

Value

ImproveCost Structure

Increase Asset Utilisation

Customer Value Proposition

Price Service Functionality Quality Availability Selection Partnership Brand

Product /Service Attributes Relationship Image

Operations ManagementProcesses

Processes that acquire and distribute products and services and integrate the supply chain

outputs

Marketing & SalesProcesses

Processes that identify unmet market needs and differentiate

with innovative product/services concepts

Customer ManagementProcesses

Processes that enhance customer value and are designed to manage

the customer experience

Enterprise Risk Mgmt Processes

Processes that identify enterprise risks and

proactively manage the potential risk events

Creating Alignment with Strategy Creating Readiness for Change

Productivity Strategy Revenue Growth Strategy Risk Management

Readiness for change - Align the Intangible Assets of an organisation’s with the strategic direction

1 Imbibe Values – performance and customer focus , teamwork: Create climate for action through alignment and empowerment.

2 Continuously build individual and organisation Competencies; Integrate IT in all business processes.

Financial Perspective

Customer Perspective

Human Capital Information Capital Organisational Capital+ +

• Applications• Databases – BI: KM

• Culture•

Leadership

• Knowledge Sharing• Teamwork

• Values• Skills

• Competencies • Systems / Networks/ Channels

• Business Process Assets

Intangible Assets

Governance Role of the Audit Committee ?

5

Adaptation Messrs Kaplan and Norton - BSCD Governance Strategy Map

Audit Committee Governance Strategy Map clarifies the areas of focus of the Audit Committee in contributing to the role of the Board

STRATEGY MAP - BOARD GOVERNANCE

Executive and Staff Oversight

Communications excellence. Ensure a teamwork culture and

knowledge sharing

Governance Processes re Staff Performance on mutually determinedStrategic objectives

Executive Succession Plans Workforce acquisition

and staffing plans

Enterprise Risk Mgmt

Information Security Management

InstitutionalisedRisk, Internal Control

and Integrity frameworks

Ensure disclosures onresidual risk are clear and

and reliable

Strategic Governance Outcomes

Board

Govern

an

ce P

rocesses

Sta

keh

old

er

Valu

eLearn

ing

&

Gro

wth

En

terp

rise

Con

trib

uti

on

Financial Oversight

Resource allocation basedon the entity’s Value

Chain activities ,

Financial Governance Covenants to Lenders

Compliance

Intangible Assets Value Drivers Industry/Customer Segments

Process Competencies Knowledge Management

Ensure readiness forchange and ability to execute

Performance Management BSCD Measurement

Assess Performance Drivers

Strategy options based on potential opportunities and

risk appetite exposure

Strategy Management

StakeholdersCommunications

Risk Management

Increase Profitabilityand Dividend Potential

Increased Value to

Shareholders

Organisation capabilities: Strategic profit management

Knowledge Management Design of Management Process

Good communications & teamwork across Board Committees and

in dialogue with top management

Information for Strategic Decision Making and Value reporting

Risk Management LeadershipRisk Management StructureEthics & Integrity frameworks

Increase Value Reported Sustainability Reputation & Trust

Monitoring, and reporting Outcome indicators

Strategic Alignment

• Strengthened Staff andManagement capability.

• Clearly defined performance accountabilities

Reputation, trust, and transparency.

Ethics institutionalised in the environment

Reliability in Financial Reporting and Value Created Reporting’

and ROI on Capital Spend

Talent Retention.Effective succession . Enterprise Capability

.

Board Governance Performance ● Effectiveness and efficiency of operations.● Reliability of financial reporting.● Compliance with applicable laws/regulations.

6

THE VALUE BASED VIEW OF STRATEGIC MANAGEMENT

VALUE DRIVER ANALYSIS

VALUE REPORTING

MANAGEMENT PROCESS RESIGN

VALUE ASSESSMENT Spread v. invested capital , by product

Scorecard

Economicprofit

Growth

Industry growth

Share of market

Returns

Operating margin

Asset intensity

Capital structure

Performance reward

Performance monitoring

Planning

Value goals

Budgeting

Issue: How can we better communicate our performance internally and externally?Output: Scorecard that tracks where and how value is being created on an ongoing basis

Issue: Where are we creating value?Output: Growth and return priorities

Issue: How are we creating value?Output: Operational initiatives to increase value

Issue: How can our management processes support value objectives?Output: Ability to identify, fund, track, and reward value-creating initiatives

Copyright © 2002 by American Institute of Certified Public Accountants, Inc. 7

CFO Research Services on effect of Human Capital on Business

Outcomes

Source: CFO Research Services

How much effect do you believe human capital has on each of the following business outcomes?

92%

82%

72%

71%

68%

66%

64%

Customer Satisfaction

Profitability

Innovation/ Product Development

Merger Acquisition Success

Revenue Per Employee

Speed to Market

Growth

% of survey participants responding to the above with HCM “large effect “ or “critical factor”

Learning and Growth Perspective - Human Capital

8

A Pathway to Principled Performance®: The OCEG Framework 9

THE BIG PICTURE OF ORGANISATIONAL PERFORMANCE

VOLUNTARY BOUNDARYboundary defined by management incl. public commitments, organisational values, contractual obligations & other voluntary policies

MANDATED BOUNDARYboundary established by external forces incl. laws, government regulation & other mandates

OBJECTIVESstrategic, operational,customer, process,compliance objectives

BUSINESS MODELBUSINESS MODELstrategy, people, process, technology, and Infrastructure in place to drive towards objectives

OPPORTUNITIES

OPPORTUNITIES

OPPORTUNITIES

OB

STA

CLES

&

TH

REA

TS

OCEG 2007

9

Rise of Principled Performance - Defining the Boundaries of Conduct

STRATEGIC CONTROL ASSURANCE PLAN


Strategic Control Assurance Plan

Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance10

11Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance

Corporate governance is an organisation’s strategic response to risk

The BoardThe Board Organisation Organisation

4

Management Assurance


3

Independent AssuranceIndependent Assurance

5

2



INFORMATION SYSTEMS

1

4

The Board is responsible for the organisation’s overall control framework that complements the

strategic and operational planning process. This responsibility is discharged by setting

appropriate risk and control policies, and by seeking regular assurance regarding the

effectiveness of the control environment.

Control assurance operates through the five Control Elements as follows

• Planning• Board• Organisation• Management assurance• Independent assurance

12

The Strategic Direction Plan is framed by four Control ElementsThe Strategic Direction Plan is framed by four Control Elements

Organisation

The Organisation includes the Executive Director , senior

managers and staff , and delivers organisational outputs in

line with the planned corporate outcomes. This control

element provides the opportunity to exercise a high degree

control through sound HR and ethical practices in an

environment of open communication. Monitoring and

performance review in this control element make significant

contributions to the Board’s strategy-management

responsibilities .

Organisation

The Organisation includes the Executive Director , senior

managers and staff , and delivers organisational outputs in

line with the planned corporate outcomes. This control

element provides the opportunity to exercise a high degree

control through sound HR and ethical practices in an

environment of open communication. Monitoring and

performance review in this control element make significant

contributions to the Board’s strategy-management

responsibilities .


Management Assurance provides the Board with assurance

through management monitoring, reviewing and reporting of

organisational performance against stated objectives and

compliance against laws, regulations, policies, procedures,

etc. Management teams or committees may be established

to assist in this process.


Management Assurance provides the Board with assurance

through management monitoring, reviewing and reporting of

organisational performance against stated objectives and

compliance against laws, regulations, policies, procedures,

etc. Management teams or committees may be established

to assist in this process.

The BoardThe Board as the shareholder representative has responsibility

and accountability for organisational performance to key stakeholders. As well as its oversight role in ensuring

Adherence to established policies and the strategic directionit has a tactical role in maintaining a watching brief over theExternal and internal environments and organisational Performance through the Executive Director, and obtaining balanced assurance over the control

environment from management and Independent sources.

The BoardThe Board as the shareholder representative has responsibility

and accountability for organisational performance to key stakeholders. As well as its oversight role in ensuringAdherence to established policies and the strategic direction

it has a tactical role in maintaining a watching brief over theExternal and internal environments and organisational

Performance through the Executive Director, and obtaining balanced assurance over the control environment from management and Independent sources.

Independent Assurance

Independent Assurance presents the Board with objective

information on the control environment through independent

bodies such as external and internal audit, and audit

committees. This control element provides a check and

balance for the outputs of the Management Assurance

control element. When the Board receives positive feedback

on the control environment from these independent bodies it

can have confidence in the assurance received from

Management.

Independent Assurance

Independent Assurance presents the Board with objective

information on the control environment through independent

bodies such as external and internal audit, and audit

committees. This control element provides a check and

balance for the outputs of the Management Assurance

control element. When the Board receives positive feedback

on the control environment from these independent bodies it

can have confidence in the assurance received from

Management.

4

3

5

2



INFORMATION SYSTEMS

1

Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance

13

Goals and objectives–The focus of the Controls Assurance Plan

An understanding of the relationship between corporate governance, risk management, controls and strategies is fundamental to the successful implementation of the proposed Controls Assurance Plan. This relationship may be summarised as follows

1 Corporate governance is a guidance system for the achievement of planned objectives–it is an objectives-focused concept.

2 Management of risk is part of each objective at all levels of the organisation.

3 Risk management develops risk treatment plans that are at the same time the controls and strategies associated with achieving each objective.

4 The meaning of control is broader than internal financial control and is expanded to include all planning and strategies put in place after the corporate objectives have been set.Transparency and probity are part of this control environment.

5 The control environment provides reasonable assurance to Boards and senior managers that the organisational objectives will be achieved within an acceptable degree of residual risk.

6 Corporate governance is an organisation’s strategic response to risk

7 Reporting against performance measures for each objective is also a report on the effectiveness of strategies, controls and the risk management process for that objective. Risk management reporting is therefore part of performance reporting and not a separate exercise. Effective risk management is therefore the cornerstone of sound governance.

Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance

Control Assurance Plan - Information Systems

A Pathway to Principled Performance®: The OCEG Framework

Key Roles and Accountability – Governance Risk and Compliance Systems

Who should drive integration? What should it look like? To realize a high-performing GRC system, several key players must be actively involved in the design, implementation, & management of the system.

The Role of the Board The Board has oversight of the system and ultimately is the primary beneficiary of it, since a strong GRC system enables the flow of accurate information necessary to effective governance. The Board must be an active monitor for shareholder and stakeholder benefit and must :

Direct the purpose and desired outcomes of the system

Set a charter for its involvement in the system

Vet business objectives and ensure they are congruent with values & risks

Be knowledgeable about the design and operation of the system

Obtain regular assurance that the system is effective

Gain reasonable assurance that management’s representations are sound

Operate aspects of the system that require Board perspective and

independence (eg overseeing senior management’s override of control activities)

14



Key Roles and Accountability

The Role of Management

Management must undertake strategic planning and implementation of the GRC system. Taken as a

whole, management must:

Design, implement and operate an effective system or some aspect of a system

Provide regular assurance about the effectiveness of the system

Communicate with key stakeholders about the effectiveness of the system

Evaluate and optimize the performance of the system

The Role of Assurance

Management should obtain and provide regular assurance about the effectiveness and performance

of the GRC system. An independent review can open up a view of the system that reveals not only

weaknesses in design or operation, but also opportunities for further integration and exchange of

best practices from one area of the organization to another.

15



Key Roles and Accountability

The Role of Assurance (cont’d) For its part, the Board is required to obtain regular assurance about the effectiveness of the system and should use information developed independently of management to form impressions of the system’s effectiveness. Independent review is required. For purposes of reviewing a GRC system internal personnel are ‘independent’ if they are independent of the underlying activity on which they provide assurance.

Assurance personnel, whether internal or external, should:

Provide assurance that risks are appropriately identified, evaluated, managed and monitored

Provide regular assurance to the Board and Management that the GRC system or some aspect

of it is effectively designed to address identified risks and requirements in light of the

organization’s culture and objectives

Provide regular assurance to the Board and Management that the system or some aspect of it

is

effectively operating as designed.

16

17

Business Process Management Best Practices

Source : Denise Bedford Information Quality

Learning and Growth Perspective - Information Capital

18


Governance, Risk Management & Compliance Process Integration

There are many reasons an organisation seeks to integrate and align its governance, risk and compliance efforts into a GRC system

1 The cost of complying with an increasingly complex, voluminous and ever-changing patchwork of legal mandates is always rising.

2 There is a lack of visibility into not only operational issues, but also risk and compliance activities.

3 There is unnecessary complexity and duplication of effort taking place to address risks and requirements as numerous processes and controls are buried in isolated silos.

4 The Board and senior management face increased accountability and liability.

5 There is redundancy in some areas and possible gaps in coverage for critical risks in others.

6 The cost of maintaining duplicate set of information for different purposes and reconciling information when necessary is high.


19


Governance, Risk Management & Compliance Process Integration

Apart from the main governance, risk, compliance processes, other functional and process areas, that comprise a holistic governance model include.

Governance Information Technology

Risk Management Business Ethics

Compliance Quality Management

Strategy and Business Performance Management Sustainability & Corporate Social Responsibility

Internal Control Human Capital and Culture

Corporate Security Audit and Assurance

Legal Finance

Within the context of an integrated GRC system, the individual functions share a mutuality of interest, a common need for information and contribution to the organisation’s efforts to achieve Principled Performance.


Designing a Business Architecture

• In order to align technology with business, we need to design a business architecture

• Business architecture includes: – Business framework to which all business definitions and models

can be mapped

– Business process management best practices for representing business processes which are manageable by business analysts, understandable to business managers and executable by developers


20

Current State – Business Framework

• Organisations themselves may not have a comprehensive view of the entity’s

business, although there is a wealth of business knowledge and documentation

– Current business definitions may be constrained to what single organizational

units do and how they do it

– May be variations on a process across the organization

– Formal policies and procedures may not fully describe how work is done

– May be gaps in coverage of some business processes

– May be redundant descriptions of the same process which are not consistently

maintained

– May represent a technology view rather than a human workflow view

– May not describe all of the resources that are required to support a business

process


21

Business Process Management Best Practices

• Business process management recommends that we:

– Define internal best practices and guidelines to ensure that business process

models are consistently developed (ARIS Framework)

– Develop business models for processes, and inventory, register and publish

existing business models (Business Analysts & Stewards working with IQ and IS

teams)

– Recommend standards-based modeling and execution languages to be used by

developers for implementing business process models

– Build a business architecture layer as part of enterprise architecture

– Establish an enterprise governance process for business process management

22


Business Process Models

• A business process should be represented as models of end-to-end sequence of tasks or sub-processes, which describe all of the inputs, outputs and steps/activities required to execute the process

• ARIS framework provides us with a comprehensive view of a business process description

• Working within the business framework, and leveraging the ARIS business processing modeling strategy, we can both harmonize across the organization and standardize our current business knowledge

23


Architecture Information Systems Framework -Robust description of a business process includes all elements of the framework. 24

Business Process Description

Data

Information Services

Other Services

Material Input

FinancialResources

Initial Event Message

Business Process

Steps & Sub-processes Result/Event

Information Services

Other Services

Material Input

FinancialResources

Strategic Goal

ApplicationSoftwareInfrastructure

TechnologyResources

HumanInput/Output

OrgUnit

25

To design a successful performance intervention, an organization must have a basic

understanding of

• The process’ inputs, steps, outputs; and the measures and standards for all three

• The individuals who will be performing in that process

• What specific performance is required/desired- and what the current level of level of

performance is

• Exactly what knowledge and skills are required to perform

• The strengths and weaknesses of any current Training & Development

• The environmental (non-human) enablers required to perform

• The strengths and weaknesses of any current environmental (non-human) enablers

Business Process Models


Business Framework and Business Process Management

• Looking back to the value proposition, we need a level of business process

description which will allow us to:

– connect any system associated with the process

– identify the people who support it

– link financial resources

– acknowledge but also cross organizational boundaries

– identify compliance (financial, records) points

– identify data and information quality control points

– Identify common steps and sub-processes to simplify and reuse applications

– provide managers with the capability to monitor the process for improvement

and planning purposes

26


27

Overview ofCulture & Context

Learning and Growth Perspective - Organisation Capital

C1 EXTERNAL BUSINESS CONTEXT

Understand and, when necessary, influence the external business context in which the organization operates.

Principles

01 Understanding the ever-changing external context is critical to designing a GRC system that is resilient to change and can evolve with it.

02 Some aspects of the external context will change despite the organization’s best efforts to maintain the status quo.

03 Certain aspects of external context can, and in some cases should, be influenced by the organization.

04 The organization should recognize that there are external influencers, such as the media or community groups who can shape stakeholder opinion.

28


OCEG® Open Compliance & Ethics Group ®

C2 INTERNAL BUSINESS CONTEXT

Understand the existing people, processes, technology, organizational structure, stakeholders and key assets that drive organizational value.

Principles

01 Internal context analysis should focus on key aspects that drive organizational value.

02 The organization should design a GRC system that aligns with the internal context.

03 The organization should use the GRC system to identify and change certain aspects of the internal context to better support organizational objectives.

04 Some aspects of the internal context will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must identify triggers that will require or cause it to evolve.

29



C3 CULTURE

Understand the existing culture including the organizational climate and individual mindsets about integrity, compliance, risk, and approach to management.

Principles

01 Leadership should set the tone at the top and provide consistent and repeated commitment to integrity in both words and deeds.

02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have any regard for the established values.

03 The GRC system can, and in some instances should, change certain aspects of the culture.

04 Some aspects of the culture will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must have triggers that will tell it when to evolve to respond to cultural changes.

30



C4 VALUES & OBJECTIVES

Define what the organization wants to achieve and the values for which it stands.

Principles

01 Without the leadership to support clearly and regularly articulated mission, vision and values, the organization will operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and interests.

02 Values will vary for every organization - that said, values must include adherence to legal mandates and general principles of integrity and ethical conduct.

03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the Board must oversee management’s continual efforts to meet the established objectives.

04 Align objectives to stated values.

31



32

MAJOR STRATEGIC OBJECTIVE

RELATED ORGANISATION OBJECTIVES -Institutionalise Customer Focus Leadership Development Programs

MEASURES TARGETS STRATEGIC INITIATIVES

A Leadership

Build a cadre of leaders who can leverage human capital for competitive advantage. They deploy through direct coaching/mentoring of staff, the “customer engagement models” that drive the customer satisfaction/ lifetime relationship value proposition .

• % internal vs. external hires

• % participation in customer focus

leadership programs

Vision Awareness Program

Accountable for strategy

Strategy linked to budgets &

operations

Improve key deficiencies

B Culture/ Strategy Awareness

Create an organisation that internalises the shared vision, strategy, and cultural values required to execute on the staff interaction behaviours that deliver the ‘customer experience’ outcomes

• % employees regularly surveyed

• Culture assessment

Formal information sharing

program

Mentoring Program

Employee survey

C Alignment

Create an organisation where personal goals and incentives are aligned with customer focus and loyalty strategy; and one that encourages personal contribution

• Personal goals linked to BSC (%)

• % receiving incentive

compensation

Alignment of HR Bus.

Balanced Scorecard

Cascaded Scorecards

Incentive Compensation

D Teamwork

Create teamwork and a culture to encourage the sharing of knowledge and experience needed by the Customer Focus strategy

• % using knowledge sharing

channels

Key Staff Retention

Cross-Functional Teams

Shared Rewards


Messrs Kaplan and Norton - BSCD Collaborative

33

PHILIP A F MARSHALL C.A. F.C.A

© OCEG 2009ACKNOWLEDGEMENTS

President, Open Compliance & Ethics Group OCEG® / Driving Principled Performance ®

Mercer Delta Consulting

Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance

Denise Bedford Information Quality

American Institute of Certified Public Accountants, Inc.

Messrs Kaplan and Norton - BSCD Collaborative

philip a f marshall c.a. f.c.a july 14 th 2011 establishing the governance strategy of the audit...

Documents

review plans

critical strategic decisions

review of decisions

strategic direction

strategic thinking process

process of strategic

review core strategic

strategic thinkingrole