Chartered Institute of Internal Auditors

Transcription

1 17 July 2018 Strategy Chartered Institute of Internal Auditors Internal auditors help their organisations achieve their objectives by providing assurance and consulting services to board members and managers. Only with a strong grasp of the organisation's objectives - as expressed in its strategy - can internal auditors hope to fulfil this role. This guide provides an overview of what strategy involves. It offers internal auditors a tool to help them approach their organisation's strategy and evaluate its strategic management processes. The purpose of strategic management The benefits of strategic management Key characteristics and features The role of the internal auditor Potential issues and risks Reviewing the elements of strategic management Auditing the implementation of a strategic priority The purpose of strategic management The literature on this subject can be confusing. Different organisations use the same terms to describe different things, or different terms to describe the same thing. For example 'strategic management', 'corporate planning' and 'strategic planning' are all terms that have been used to describe planning by organisations. For the purpose of this guidance we use 'strategic management' to cover the whole process from developing a long-term vision of the organisation to the implementation of decisions, monitoring of results and corrective actions. We prefer the use of 'strategic management' because planning is a continuous management process that is responsive and dynamic rather than a one-off task. It is integral to the responsibilities of managers. The purpose of strategic management is to define the direction of an organisation. It involves setting goals and milestones, specifying how to achieve them, deploying assets and resources, implementing actions and evaluating results. Strategic management is a means to an end but it also an iterative process that responds to a changing business environment. In simple terms strategy is about: Moving the organisation from where it is now to where it wants to be. Being aware of the environment and market conditions. Obtaining and allocating resources. Satisfying stakeholder needs. Taking risks and managing risks. 1

2 Being better than the competition. As a result strategic management is not a simple exercise as it requires the organisation to make some important decisions. It should ask: What business are we in? What is our objective? What products and service are we going to offer? Who are we going to offer them to? How do we obtain funding and other resources, such as volunteers or employees? How do we assess success? For commercial organisations, on what basis will we compete? The strategic plan is therefore a statement of intent to stakeholders at a particular point in time. Strategic management can be summarised using four basic terms: Perspective: a vision of what the organisation is going to become. Plan: means for getting from one place to another. Position: a particular set of products and services within specified markets. Pattern: a particular pattern or focus of delivery i.e. to 'high end' customers. The benefits of strategic management Effective strategic management creates a sense of purpose for the people who work within an organisation. It establishes a common set of values and goals. This encourages commitment and participation and informs day-to-day decisions at different levels of the organisation so that business units and departments work coherently. Strategic management also develops objective analysis around the feasibility and resourcing of plans that helps to clarify roles and responsibilities within the organisation. This enables people to compare progress against targets, identify significant deviations and either adjust the objective or change the way resources are being used. The benefits of strategic management can therefore be summarised under four main headings: Clarity of purpose Sense of direction Common values Priorities Unity of purpose Participation Building knowledge of the business Coherence 2

3 Achievement of purpose Feasibility Resourcing Clarification of responsibilities Framework for day to day decisions Delegation Monitoring Responding to uncertainty Key characteristics and features A good strategy has five characteristics. It is simple, clear, credible, motivating and reflects the uniqueness of the organisation. At the same time, it must be able to embrace new ideas and be flexible: particularly during an economic recession when new opportunities often emerge from changing circumstances and testing times. Therefore, strategic management must also include robust decision making and effective risk taking. It must be a continuous process rather than a one-off exercise with regular reviews to ensure that the strategy remains relevant and sensible. Scheduling strategic reviews depends on the nature and needs of the organisation and its immediate external environment. For example, in an industry that is changing rapidly planning might be carried out frequently - maybe more than twice a year in a very comprehensive and detailed fashion. On the other hand, if the organisation has been around for many years and is in a fairly stable marketplace, then planning might be carried out once a year. In all cases, the organisation needs a mechanism to identify changes in the environment and to initiate an unscheduled review if necessary. Strategic management is integral to the responsibilities of all managers. In larger organisations, a specialist planning team may be available to orchestrate the process. They can establish timetables and guidelines and coordinate activities across the organisation. In other organisations, the general management team may share out the responsibilities. There are various models for managers to follow. The diagram below illustrates the key features of one of the most basic and widely used. The same processes are used in the internal audit tool. Elements of strategy - from a presentation by Dr Keith Blacker 3

4 The role of the internal auditor As always, internal auditors do not have responsibility for activities that are the responsibility of management and the board. Strategy and strategic management are clearly such activities. However, there are three reasons for internal auditors to be interested in the strategic management processes. 1. It informs the role The role of internal audit in general is to help the organisation accomplish its objectives by providing independent and objective assurance of governance and the management of risk. The organisation's strategy provides the context for all this activity: the organisation's objectives. Therefore, the better the internal auditor understands the strategy and the processes that form and modify it, the better the internal auditor can fulfil its own mission. 2. Its impact on success The long term success or failure of an organisation can be radically affected by the quality of its strategic management. There can be great opportunities from getting it right and substantial risks from getting it wrong. Therefore, any assurance or consulting activities in this area can be extremely valuable. 3. It will help you to succeed Thirdly, strategy is most often the realm of senior managers. If internal auditors can be involved at this level of the organisation, it will help their work in general - as long as they impress, of course! 4

5 Objectivity and independence The role of internal audit is not to supplant management as strategic experts. It is to bring their objectivity and independence to challenge the thoroughness of the processes, including the decision making, and the reliability of the information flows. Internal auditors are in an ideal position to appreciate how the pieces of the strategic management jigsaw fit together and can play a valuable role by providing objective assurance that strategic plans are effectively communicated, understood and implemented. This includes the application of the organisation's risk appetite through the correct and consistent use of the risk management process. The internal auditor can bring real benefit to senior management by asking questions about the way the organisation organises, implements and sustains strategic management to support good governance. Potential issues and risks The next two sections are based on material presented and discussed at an IIA forum for heads of internal audit. They suggest various issues or risks that might arise during strategic management and possible responses to those risks. They provide the foundations to audit the development of strategy and its implementation. You can use them section by section, together or separately, depending on the particular needs of the organisation and the engagement objective. We recommend that, as always, you discuss and agree terms of reference with senior management and the audit committee to clarify the boundaries of any audit in the area of strategy. You should adapt them to your organisation's way of doing things: its management framework, culture, state of development and so on. It is unlikely (and unnecessary) that an organisation will have implemented all the risk mitigation actions - or necessarily faces all the potential risks. You need to apply your professional judgement in using the material and then in assessing whether management has taken sufficient steps to reduce the level of risk to an acceptable level. Reviewing the elements of strategic management 1. Vision of purpose Statements of vision and purpose may be out of date - no regular review or critical challenge of statements. Statements of vision and purpose do not enthuse or engage with staff. Poor communication of vision and purpose to staff. Statements of vision and purpose do not reflect the distinctive nature of the organisation, making it no different from other providers or competitors. No analysis of markets and emerging competitors. 5

6 Failure to understand and build on the core strengths of the organisation. No sense of ownership or involvement with the vision among managers and staff particularly at business unit or department level. No link between the vision and individual objectives. Vision reviewed periodically. Non-executive board members provide a critical challenge. Staff given the opportunity to take part in a review. The statements of vision and purpose are made readily available to staff. Imaginative ways are used to remind staff of the vision from time to time. An introduction to the vision and purpose is part of the induction for each new member of staff. There is a hierarchy of communication of planning statements that derives from the vision. Senior managers explain how their units and departments contribute to the vision and purpose. There is evidence that the vision is used to make judgements about proposed developments. Periodic staff surveys report on morale, understanding and commitment. 2. Strategic direction Strategic direction has no obvious link with vision and purpose. Strategic direction is viewed with antipathy by staff or key stakeholders - failure to communicate strategic direction. Risks associated with the strategic direction do not form part of the risk management process. Poor analysis of internal and external factors that may impact upon the strategic direction. Lack of realism from poor analysis or over-optimistic expectations - poor management information. Strategic direction is unrealistic in terms of resource requirements. Strategic direction is inflexible or slow to respond when circumstances shift. Progress along the strategic direction is not monitored. There is a clear link from the vision and purpose to the strategic direction. Nothing in the strategic direction contradicts the vision. Regular horizon scanning. Setting and periodic review of the strategic direction draws on a range of good practice techniques such as SWOT, PEST, competitor analysis, scenarios, stress testing etc. High level risk analysis is carried out as part of development of strategic direction. Strategic direction is developed with effective consultation and communicated clearly. Strategic direction is drawn up with knowledge of staff attitudes. Critical assessment and challenge of strategic direction by non-executive board members. Strategic direction retains sufficient flexibility to cope with the unforeseen. Analysis used in setting the direction produces a clear statement of where the organisation is at the outset. 3. Strategic objectives 6

7 Strategic objectives ignore the context of the vision and purpose of the organisation. Failure to match strategic objectives to strategic direction - poorly defined goals. Strategic objectives are pitched at the wrong level - too hard or too easy. Objectives are ambiguous or poorly specified. Objectives are unbalanced or mutually contradictory. Objectives are set without reference to capability (resources, staffing, skills, systems etc). Accountability for achieving objectives is not allocated or is unclear. New objectives set without regard to whether information is available. Inadequate information to assess achievement of or progress towards objectives. Strategic objectives are clearly in line with the vision and the direction. Each objective is tested against the vision and direction before being accepted. Managers contribute to the definition of performance measures and SMART objectives. Each objective is assigned to a lead manager who is accountable for performance. Each lead manager has sufficient authority to make expected progress towards the objective. Each objective has a range of suitable management information available to provide a measure of progress (lag) and warnings (lead). Use of a balanced scorecard approach. There is a communication plan to ensure managers know and understand the strategic objectives, particularly the ones that affect their area strategic objectives are related to business unit and departmental objectives. There is a clear understanding of constraints on capabilities. Where appropriate, constraints are measured and managed to give feedback to the strategic objectives. 4. Business plans Plans are not aligned with strategic objectives. Business unit and department managers have not signed up to strategic objectives. Plans assume 'business as usual' and ignore potential improvements from change projects. Plans assume unrealistic levels of improvement. Failure to understand or take account of constraints. Plans do not take adequate account of risks. Plans are not inter-linked between different business areas where one area depends on performance in another. Business plans are unclear or poorly defined; critical success factors are not identified; targets fail to apply SMART principles. Managers are not trained to apply SMART principles; no attention to keeping a balanced set of measures. Poor communication between managers and staff; staff have little opportunity to influence their business plan. Staff do not understand their role in delivering the plan. Objectives are set without reference to capability (resources, staffing, skills, systems etc). Actions are not delegated to specific individuals; delegation doesn't include sufficient authority to act; management systems and training do not support effective delegation. 7

8 Plans fail to set out accountability for delivering the intended outcomes. Processes (such as IIP) are in place to give unit and department managers sufficient understanding of strategic objectives and how these relate to department activities. The main business objectives are explained in terms of their contribution to strategic objectives. Business objectives that make no contribution to strategic objectives are subject to review and justification. Plans are reviewed in the light of past performance and anomalies investigated and explained. Plans are based on a sound analysis of current and expected resources. Managers' performance is assessed in the light of strategic objectives. Business plans include an analysis of activities that depend on performance by another department. The analysis is explicit about expected levels of performance. Measures are constructed in accordance with good practice (such as SMART). Mechanism to ensure that stated levels of expected performance are formally agreed between departments and reflected in each other's plans. Mechanism for capturing expected improvements from development projects and building these in to department and operational plans. Managers have received training on performance measurement, balanced scorecards etc. Performance measures are set for each business objective and its critical success factors. Plans are produced in an open way that encourages involvement from line managers and staff. Plans are readily available to staff. Objectives in the business plans are used to derive individual or team objectives and agreed with targets as part of the staff appraisal scheme. Staff receive regular briefings on the progress towards stated objectives. Staff understand how their role contributes to delivering the plan. There is a clear scheme of delegation for actions under the plan and review procedures are in place. 5. Forward financial planning Forward financial plans (3 to 5 years) are not linked to strategic or business objectives. Plans not linked to planning assumptions and horizon scanning. Assumptions are not tested for sensitivity. Cash flow implications and balance sheet implications are ignored. Forward financial plans fail to take account of change projects - investment costs and benefits. Reserves policy is not clearly stated. Plans and significant supporting spreadsheets are not reviewed for errors or omissions. Forward financial planning is closely aligned with planning for strategic and business objectives. Forward financial plans are updated on a rolling review. Assumptions underlying financial plans are clearly stated and approved at a senior level. There is cross-checking between stated financial assumptions and the results of PEST and horizon. Significant assumptions are varied to test the effect on the financial plans. 8

9 Areas of uncertainty and the potential effect are reported to decision makers Sources. of finance are identified. Reserves policy is stated and approved. Outline cash flow and balance sheets are produced. Significant costs of change projects are included in plans. If significant benefits from change projects are included, the assumptions made are clearly stated. Effective internal controls are in place to provide assurance that supporting spreadsheets are reliable and that errors and omissions are unlikely. 6. Annual budgets Annual budget set in isolation from strategic objectives and forward financial planning. Annual budget does not reflect business plans. Annual budget does not account of development and change projects. Annual budget does not reflect strategy for accumulation and use of reserves. Inadequate procedures and controls for budget preparation. Annual budget is not reconciled to existing budget and changes explained. Failure to review budget detail leads to errors and omissions. Budget does not reflect external or environmental changes that have an impact. Budget concentrates on financial matters and ignores activity budgets (e.g. staff numbers, space available, capacity constraints). Possible risk mitigation Annual budget is confirmed as realistic in the light of longer term financial plans. Results of analysis used in strategic plans are readily available for budget setting and review. Timetable for annual budget preparation takes account of other planning activities, both overall and at department level. Project management controls include effective budgeting and financial monitoring. Expected benefits from projects are identified and fed into the budget setting process. Budget preparation process has effective controls including: - Explanation of differences from current budget and performance. - Review and formal approval by budget holders. - Timetable allows for effective checking and review. - Assumptions are stated and reviewed. - Significant spreadsheet calculations are tested and confirmed. - Budget includes cash flow and outline balance sheet. 7. Change and development projects Failure to ensure that projects support strategic objectives. Inadequate business case for new project. Failure to distinguish between operational and 'routine development' activities on the one hand and change and development activities on the other. Poor links between change projects and continuing activities. 9

10 Failure to apply effective project management disciplines. Failure to distinguish types of project leads to misallocation of resources. Poor risk and financial mechanisms for managing projects. Resource levels and budgets not adjusted for results of change projects. Programme steering group to align strategic objectives and priorities with individual projects. A business case exists for each change and development project, justifying it in the context of strategic objectives. There is a mechanism for ensuring that agreed outputs/outcomes from change projects that affect continuing operations are fed back into business planning and resource allocation. Strong project management controls are resourced and applied to each change and development project. Separate risk identification and management as part of project management. Budget and resource allocation ensures proper classification of activities. Project budgets do not get absorbed into or taken from continuing activity budgets without proper approval. Reporting project progress and risk management as part of the high level monitoring routines. Post implementation reviews of projects to establish lessons learnt. 8. Communication and coordination Communication is not given the priority it needs - no communication strategy or plan. Business units and departments send out different messages to staff and stakeholders. Lack of clear processes for dealing with the media. Inadequate training for managers on good practice in communication. Timetable doesn't allow for effective consultation and communication with staff and stakeholders. Managers are unclear about their role in communicating strategic objectives and plans to their staff. Procedures are unclear about how to brief staff and report progress of achievements and developments in the business. There are very few communication channels, internal or externally. There are few performance measures or critical success factors related to the communication process. There is a communications plan as part of the strategic and planning cycle that sets out objectives and key targets. Responsibility for coordinating and issuing important business communications is clearly established. Development training for managers includes principles and practice of effective communication. Results of every IIP assessment are reviewed and lessons learned are fed back into training and development. Staff know how they can make suggestions for improvements. Managers (and staff) receive training or briefings on how to use appraisal effectively. Strategy and planning information is easy to locate on the intranet. 10

11 Regular updates on progress are issued - newsletters, s, briefing sessions. Staff morale and motivation is periodically surveyed. Messages from staff surveys are used to improve communication and training. Appraisal sessions are used to set individual objectives in the context of organisation objectives. The effectiveness of the communication plan is assessed. 9. Delegation and accountability Matters delegated are beyond staff competence. Too little is delegated leading to staff frustration. Too many have delegated authority making the scheme unmanageable. Lack of control over delegation scheme Staff are unclear about level of authorit.y delegated. Staff in other departments do not know who has delegated authority so checks and controls are rendered useless. Manager cannot or does not monitor use of delegated powers. Lack of clarity over accountability. Accountability assigned without matching authority. Use of delegation is not reviewed during appraisal meetings. There is a clear scheme of delegation indicating who has what powers. Delegation of accountability or responsibility is accompanied by sufficient delegation of authority. Management development includes training in effective delegation. Managers' own appraisal includes review of their use of delegation. Delegations are made to staff who are competent in the relevant activity. There is active encouragement to delegate functions as far as possible. Line manager reviews use of delegation. Line manager retains accountability for delegated actions. Where delegation in one area affects controls in another (for example financial or personnel matters) the central department has a manageable list of delegated authorities to ensure control is maintained. Use of delegation is reviewed in appraisal meetings. 10. Personal objectives Personal objectives are set without reference to business objectives. Managers not trained in objective setting. Personal objectives are set without reference to capability. Managers not trained in appraisal skills. Personal objectives are not properly measurable (e.g. SMART measures). Personal objectives are not agreed between staff and line manager. Personal objectives lack sufficient challenge. Personal objectives and achievements are not reviewed and reset. 11

12 Well established appraisal system in place, which is introduced to staff at induction. The appraisal scheme is assessed and updated on a regular basis. Managers are trained in appraisal skills, objective setting and performance measurement with a register of attendance. Staff are trained in appraisal skills, objective setting and performance measurement with a register of attendance. Personal objectives are SMART. Review of performance is a routine aspect of performance appraisal. Successful achievement of objectives can be recognised in a variety of ways. There is independent review of the performance appraisal system to ensure consistency. 11. Performance management Critical success factors not identified. Measured performance is not related to strategic or business objectives. Lack of management information to support the measurement of objectives and targets. Failure to review and use management information. Poor performance not recognised and corrected. Good performance not recognised and rewarded. Managers lack performance management skills. Key performance indicators are set that measure what needs to be measured not what can be measured - SMART targets. Managers are clear about what they will be measured on. Staff understand how their role contributes to business objectives. There is a clearly defined reporting procedure to monitor performance. Performance measurement is linked to personal objectives, which are clear and well defined. Management information is defined and available to support personal targets. Individuals are encouraged to review their own progress and have the information to do so. Training or other support is available where targets are not met, up to a limit. Managers consider team performance as well as individual. Individual and team achievements are acknowledged and rewarded. 12. Performance-related awards Reward schemes are too complex. Rewards fail to recognise what actually motivates people. Rewards are based on measures that are not aligned with business objectives. Rewards are not based on significant achievements. Reward schemes are not applied consistently across the organisation. Reward schemes reward unproductive or counterproductive behaviour. Too long a time lag between achievement and reward. 12

13 Reward scheme is clearly set out, easy for staff to understand and managers to apply. Reward levels match significance of achievement. Rewards are subject to some form of independent review (perhaps on a test basis) to confirm fair and consistent application. Staff consultation or attitude surveys include analysis of motivating factors. Reward scheme is reviewed periodically to ensure it remains relevant. Rewards can be made quickly. Reward criteria are aligned with business objectives. Auditing the implementation of a strategic priority 1. Definition Strategic priority is poorly defined and lacks clarity. Failure to understand what is essential to the delivery of the priority. Core activities that contribute to the strategic priority lack clarity. Core activities as defined leave gaps that could lead to failure to deliver the strategic priority. Poor communication of strategic priority to managers. Department managers have not signed up to strategic priority. For a given strategic priority, core activities can be traced into middle tier and operational plans. Middle tier and department plans indicate activities that contribute to a given strategic priority. Statements in middle tier and department plans are aggregated to give a check on coverage of each strategic priority. Heads of departments can explain how their department's activities contribute to the strategic priorities. There is evidence that the strategic priorities are used to make judgements. Objectives in the business plans are used to derive individual or team objectives and agreed with targets as part of the staff appraisal scheme. 2. Objectives Objectives are unclear or poorly defined; critical success factors are not identified; targets fail to apply SMART principles. Objectives are unbalanced or mutually contradictory. Objectives are set without reference to capability (resources, staffing, skills, systems etc). New objectives set without regard to whether information is available. Objectives are poorly communicated to managers and staff. Failure to critically assess each objective. Failure to break priorities and activities into manageable tasks with clear objectives. Failure to identify what needs to be done well to deliver desired outcomes 13

14 Failure to establish key performance indicators. Inadequate information to assess achievement of or progress towards objectives. Each objective is tested against the SMART framework. Managers contribute to the definition of performance measures and SMART objectives. Each objective is assigned to a lead manager who is accountable for performance against it. Each lead manager has sufficient authority to make expected progress towards the objective. Each objective has a range of suitable management information available to provide a measure of progress (lag) and warnings (lead). There is a communication plan to ensure managers know and understand the strategic priorities, particularly ones that affect their area. Measures are designed to provide balance (such as the balanced scorecard approach). Critical success factors are identified for each business objective A development programme is available to help managers take strategic priorities and apply them at a departmental level. Managers have received training on performance measurement, balanced scorecards etc. There is a clear understanding of constraints on capabilities. Where appropriate, constraints are measured and managed to give feedback to the strategic priorities. 3. Accountability Lack of progress because no-one is responsible for achieving the strategic priority. Actions are not delegated to specific individuals; delegation doesn't include sufficient authority to act; management systems and training do not support effective delegation. Poor management structure leads to lack of accountability. Poor coordination between departments working on related core activities. Inability to assess progress. Failure to provide a mechanism to decide between competing priorities. Each strategic priority has a sponsor. Each core activity is delegated to an identified manager. A core activity manager has an appropriate level of authority to commit resources to achieve the targets. Where core activities cut across departments, mechanisms are in place to achieve co-ordination and communication without losing accountability. Targets are set in accordance with the measurement framework. Key performance indicators are defined for critical success factors. Reporting systems are in place to give timely information on key performance indicators. Review procedures (controls and checks) are in place for delegated tasks. The structure provides a route for decision-making where activities are competing for limited resources. 14

15 4. Planning Plans do not take adequate account of risks. Plans are not inter-linked between different business areas where one area depends on performance. Plans fail to reflect the impact of change and development. Plans fail to set out accountability for delivering the intended outcomes. Plans assume unrealistic levels of improvement. Business plans are prepared in isolation from strategic matters and not justified against strategic objectives. Department plans are prepared in isolation from other departments; there is no mechanism for cross-checking. Plans assume 'business as usual' and ignore potential improvements from change projects. Poor communication between managers and staff; staff have little opportunity to influence the plan; staff do not understand their role in delivering the plan. Plans are based on a sound analysis of current and expected resources. Plans are reviewed in the light of past performance and anomalies investigated and explained. Plans are produced in an open way that encourages involvement from line managers and staff. Fresh thinking and new ideas are encouraged. There is a clear link between business plans and strategic priorities. The main business objectives are explained in terms of their contribution to strategic priorities. Business objectives that make no contribution to strategic priorities are subject to review and justification. Processes (such as Investors in People) are in place to give department managers sufficient understanding of strategic priorities and how these relate to department activities. People know what authority and what limitations they have with regard to actions to implement the plan. Staff understand how their role contributes to delivering the plan. Managers' performance is assessed in the light of strategic priorities. Business plans include an analysis of activities that depend on performance by another department. The analysis is explicit about expected levels of performance. There is a mechanism to ensure that stated levels of expected performance are formally agreed between departments and reflected in each other's plans. External resources Strategic Planning Society UK website providing an extensive library of free articles and research papers, as well training events. The Free Management Library American website providing guidance to not-for-profit organisations. It has a strategic planning subject area. 15

16 Harvard Business Publishing Contains many resources related to strategy, some of which you have to buy. This article is particularly interesting: The Secrets to Successful Strategy Execution Gary L. Neilson, Karla L. Martin, and Elizabeth Powers. Harvard Business Review, June 2008 Strategy Related Auditing IIA Netherlands and KPMG, June