23 rd IAAIA Conference Kuching, Sarawak, Malaysia 26 th to 29 th October 2014

Transcription

1 Framework Convergence Building the approach Alan Simmonds 23 rd IAAIA Conference Kuching, Sarawak, Malaysia 26 th to 29 th October

2 2

3 The 4 Framework Elements Defined method for achieving specified objectives Modifiable processes including Take-on and management Reporting Common language/vocabulary Identified obligations Legislation Regulation Standards 3

4 Why do we need frameworks? Consistency of understanding our obligations Consistency of process and reporting More importantly to have a common approach providing Neutrality Cultural alignment Consistency Low spin up latency 4

5 What is convergence? Moving toward union or uniformity The merging of distinct technologies, industries, or devices into a unified whole Coordinated movement of two or more approaches toward a single point so that the same viewpoint is recognisable and supported by both from different or competing perspectives 5

6 Why do we need Framework Convergence? Pressure of obligations on organisations Internally and externally Increasingly active stakeholder community Old/damaged concepts New activities and scope Existing/old regulatory strategies under pressure New media Research 6

7 Convergent Operating and Engagement Model Mechanisms that ensure that projects achieve both local and company-wide objectives How do we create value and competitive advantage? [External focus] Business Model Operating Model Engagement Model How do we implement the business model? Where and how is the critical work done? [Internal focus] Framework agility 7 7

8 A recent study showed that convergence is under way at a large number of organizations yet the survey also underscored that although risk convergence is in progress there are no agreed upon best practices so when it comes to risk convergence, firms are for the most part still on the lower half of the learning curve 8

9 Beware however consequences of convergence Misalignment of policy and legislative constructs with market, behavioural and technological realities Gaps in the existing framework in the existing frameworks coverage of new forms of content and coverage of new forms of content and applications Misplaced emphasis in the legislative framework or underlying policy that skews regulator activity towards traditional media or communications activity 9

10 consequences of convergence Blurring of boundaries between historically distinct devices, services and industry sectors leading to inconsistent treatment of like content, devices or services Mainstreaming of innovations with associated changes in community expectations Piecemeal responses to new issues Institutional ambiguity as a consequence of sectoral convergence such that several regulators or no regulators have a clear mandate to address pressing market or consumer concerns 10

11 Framework governance Drivers Satisfying regulatory and legislative requirements Identifying risk areas for the organization Demonstrating compliance to regulators Adding value to the business Satisfying stakeholder and requirements Significant changes in the business environment Streamlined processes and more efficient markets Financial distress or scandal Opportunities Increased compliance capability Added value stakeholders Potentially larger market Ownership of compliance capability Reduced exposure to regulatory and other risk Pitfalls Benefits Non-compliance to relevant legislation or corporate policy No executive sponsorship - activities without mandate No governance processes for continuity, transparency, discipline and auditability Missing or inadequate performance measurement Inaccurate information relating to the actual cost of operations Uncontrolled expenditure Reduced market value Greater investor confidence Increased share premium Enhanced ability to attract new investment capital Reduction in the cost of capital Ability to attract higher quality directors Ability to hire and retain a high quality workforce Reduces risk of financial reporting and other business failures Sustained and stable organisation 11

12 Framework convergence just choice? Principle 1 Resist 'one size fits all' approach Principle 2 Convergence should enable you to 'assess once and satisfy many' Principle 3 Convergence requires collaboration and coordination Principle 4 Convergence requires a cultural change Principle 5 Risk management must be actionable Principle 6 Assume risk is everywhere and make it the focal point Principle 7 Risk convergence is evolutionary not revolutionary Principle 8 Make business process management a priority Olson, Mark. Enterprise-Wide Compliance-Risk Management. April 10,

13 Principle 1 Resist one size fits all An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization s corporate strategies, business activities and external environment Whether IT focussed or not the benefits can be Lower costs Time to deployment Future proofing 13

14 Principle 2 Convergence should assess once and satisfy many The framework should provide a consistent approach across your organization s businesses by establishing minimum standards This will ensure that risk policies, principles and procedures are adequate and effective Reduce assessment fatigue 14

15 Principle 3 Convergence requires collaboration and coordination A comprehensive approach enables organizations to Reduce duplication of effort Increase efficiency and Make smarter business decisions LOB IA Finance IT Risk 15

16 Principle 6 Assume risk is everywhere and make it the focal point Ensure you include multiple GRC elements such as entities, processes, policies, accounts and regulations Categorized at multiple levels using multiple taxonomies, e.g. Basel, COSO or your own categorization scheme Assess at the different levels of granularity, e.g. multiple levels in the business entity or process hierarchy Link losses to risks to determine how risk exposure is trending versus actual losses 16

17 Recognise the role of Information Technology Create a central platform to integrate the different data together and maintain the relationships between elements Establish a common taxonomy and library for policies, processes, risks, controls, regulatory requirements and other key data elements Integrate multiple areas of risk (operational, compliance, strategic, etc.) to provide aggregated analysis and full reporting of all risks across the enterprise Provide real-time decision support such as the ability to highlight and provide notifications of trends, exceptions, unusual activities, etc. Drive accountability, assign responsibilities and ensure risk management practices are carried out consistently Provide a means to effectively manage and automate communication and escalation of risks and issues throughout the organization Localize views for different functions/roles and synchronize the activities of the different functions 17

18 How would you answer these?? How critical is control of IT to your organisation????? Do you manage all IT risk in the same way as you manage business risk? What would be the consequences of IT risk materialising? How do you deploy your IT resources effectively? Are clear roles, responsibilities and accountabilities assigned across IT?? Can you demonstrate due diligence and control in the governance of technology? 18

19 Reduced Focus on industry and organisation requirements Common direction and synergies Commonality and consistency due to the absence of internal standards and frameworks Integration, compatibility and interoperability between applications Increased Gaps and business conflicts Ad hoc software development driven by a tactical and reactive approach Decision-making gridlock discipline and accountability Dilution of critical information and knowledge of the deployed solutions Inability To rapidly respond to challenges driven by business changes To provide visibility of the current and future vision and strategy To predict impacts of future changes 19 31

20 Challenges facing convergence management Non-IT executives often don t understand the impact of IT risk on business outcomes IT doesn t always apply appropriate controls to address reasonably anticipated IT risks Risk management practices aren t always formalized in organizations, which reduces their effectiveness Acquire insight into the vulnerabilities and the threats to the systems Understand the role of information technology in the delivery of services 20

21 A Taxonomy of Framework Convergence Convergence fluidity Failure, bureaucracy, sanction, desire Target entity Public sector Private enterprise Individuals 2 Intent Intent The motive to converge 4 Targets 5 Fluidity 1 Beneficiaries 6 Assets 3 Capability Beneficiaries Organisations Standards bodies Regulators Legislators Capability The ability to identify, define and establish the necessary structures Assets All organisational assets, processes, frameworks etc. under audit, risk, governance 21

22 Framework bus for convergence? Convergent framework Agility 22

23 Framework Convergence a flypast At PreterLex and CGBoard Asia this is how we approach the initial flypast of framework convergence 1 Relevance Is this framework relevant to my organisation, practices, project activities, operating model etc.? If not then leave Else check Existence 2 3 Existence Is any of this framework available my existing environment? If not found then go to framework Else confirm and go to Sufficiency Sufficiency Is this fit-for-purpose? If sufficient then move on Else review and refine 23

24 Convergence a putative approach Identify the process What activities are required to deliver predictable and repeatable framework results through competent people using the right tools across projects? Consider: Identifying and managing demand? Managing demand through to solutions that deliver the intended (or improved) business results? Continuous improvement of the function Identify services What portfolio of framework services must be established to support the activities across multiple simultaneous projects? Consider: Service catalogue components? How do we define and manage framework SLAs and OLAs? Do we offer differentiated services by BU? Identify the governance mechanisms How do we deliver and sustain important decisions about framework? Consider: How do business needs and initiatives get prioritized? How do we manage local and global optimization? How are framework and organisational standards chosen and what are the consequences for deviations? How do we govern major framework programs? Define measures and monitoring requirements How we measure and monitor the function s performance? Consider: Objectives of the IA, IT, risk organisation? How business determines value realized and delivered through framework investments? Monitoring continuous improvement Identification of KxIs etc. and trends Framework service and capability consumer experience Identify capabilities What are the major capabilities require by the function in order to deliver the services required by projects and programs? Consider: Strategy and portfolio management In-house and outsourced models Allied business capabilities for framework (e.g. performance, financial, communications etc.) Define the organisation structures How do we structure and organize our framework capabilities? Consider: What capabilities should be located within the function and what can be within the business? How do we organise around major projects and programs? How do we organize around major products and platforms? 24

25 South Africa King III 2012 (as amended) Singapore Corporate Governance Code 2012 So where is convergence happening? Principle 11: The Board is responsible for the governance of risk. The Board should ensure that Management maintains a sound system of risk management and internal controls to safeguard shareholders' interests and the company's assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives Guideline 11.1: The Board should determine the company's levels of risk tolerance and risk policies, and oversee Management in the design, implementation and monitoring of the risk management and internal control systems Guideline 11.2: The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Such a review can be carried out internally or with the assistance of any competent third parties 5.1. The board should be responsible for information technology (IT) governance 5.2. IT should be aligned with the performance and sustainability objectives of the company 5.3. The board should delegate to management the responsibility for the implementation of an IT governance framework 5.4. The board should monitor and evaluate significant IT investments and expenditure 5.5. IT should form an integral part of the company s risk management 5.6. The board should ensure that information assets are managed effectively 5.7. A risk committee and audit committee should assist the board in carrying out its IT responsibilities 25

26 26

27 view - what to focus on 1 Separate out framework governance to show real measurable benefit and business impact Business strategy business governance framework governance sustainable compliance and reporting 2 - Identify business outcomes, related audit and assurance processes and IT dependencies 3 - Formalize a program of governance where risk, compliance and audit are identified, assessed, tracked and reported within your converged framework 4 - Integrate governance and corporate performance in a formal framework strategy 5 - Develop a business case and appropriate communications plan to promote framework agility

28 Alan Simmonds Copyrights and Trademarks All copyrights/trademarks recognised worldwide Usage All PreterLex material may be reproduced conditional upon and attribution to PreterLex being in plain sight It is the responsibility of the reproducer to conform to all copyright and trademark constraints and requirements All materials issued are for the purposes of this conference only 28 31