Group-think and directors not speaking up. Copyright Richard Leblanc. All rights reserved.

Transcription

1 Group-think and directors not speaking up 11

2 Risk and Industry Expertise 12

3 Risk often lowest rated role of board 13

4 Risk management 14

5 Sample results (director weaknesses) 15

6 Red flags for risk failure, continued 16 n The so-called rogue employee vs. actual culture; n Culture, integrity & their controls not independently audited; n Pay for results rather than pay for conduct; n Pay drives behaviour: Incented risk takers; n Clawbacks not based on risk and ethics; n Key performance indicators not risk-adjusted; n Risk assessment before bonus and equity vests; n Bullying, intimidation, fear: Not speaking up (to come); n Poor crisis management: law tail wagging company dog;

7 Crisis Management: A Good Example 17

8 Red flags for risk failure, continued 18 n Whistle-blowing program run by management, and neither anonymous nor rewarding (OSC / SEC examples); n Flawed internal investigation and no confidence in it; n Wrongdoer: dominant, bullying & charming, charismatic, high performing; n Wrongdoing starts small, then capture, then bullying; then slippery slope of wrong doing (see video); n Protect the company (leader) and performance at all costs; n Broad confidentiality clauses override whistle-blowing and speaking up; n No reputation or exogenous shock test;

9 Why don t people speak up? 19

10 Speak up, speak up, speak up! 20

11 Management or the Board? 21 Risk and compliance failure is always a failure of the board. It is not just a management failure. There is no such thing as a poor company, only a poor board.

12 Management or the Board? 22 If internal audit, compliance or risk is weak, you likely have a dominant management and a weak audit committee and board. It is not possible to have a strong audit committee and weak oversight functions.

13 23 Advice to any employee + oversight function: Speak up, speak up, speak up! The behaviour and practices you observe are the behaviour and practices that you accept.

14 Risk red flags, continued (general) 24 n Captured, complacent, even encouraging board; n Ambiguity and complexity is a red flag for fraud; n Focus on narrow rule correctness, not cumulative effect, spirit or principle; n Limited education and communication; n Industry and past practices justified and generalized; n Living beyond means and not taking vacations; n Blocking third party expertise (very common); n Defective Code of Conduct, COI policy, sign-off;

15 CEO Reputation Succession Risk: Sources planning of Risk 25 Risk Rating Key Note: The colours indicate the ratings to these sources of risks. Uncoloured sources of risks were not rated as Medium or High at this date. Source: J. Fraser, Enterprise Risk Management course, MFAc Program, York University, 2015; Very High High Medium/High Medium/High

16 Risk Adjusted Compensation 26

17 Changes to risk management and audit: Review 27 n CRO, CAE, CCO, CAO: oversight functions: no functional oversight by management; n No CEO control any more: operational and executive management cannot interfere: client is board and committees; n Selection, authority, mandate, resources, accountability, independence, compensation, succession; n Compensation cannot include revenue or operational responsibilities as metrics; n Board and Committee chair paper and training; n RAF and limits / threshold best practices;

18 More on risk adjusted compensation 28 n Pockets of acute risk complexity, cyber, safety, reputation with opaque controls and management override; n Immature, lack of controls, IT: RAF now; n CAE restricted from compensation: Full scope; n Deferral and explicit ex post adjustment; n Compensation Committee has discretion; n Risk adjusted metrics with denominators; n RM and ethics in clawback or malus;

19 Oversight of Risk Management 29 Customers Customers sales Planning Reliability Relationships Contracts Standards and Expectations Customer viability Rating Agencies Maxtor credit Vendor terms (guarantees, advance payments) Environment Political Legal Regulatory Business Interruption ExternalTheft/Fraud/ Illegal Acts Business Practices Salary Inflation Innovation Knowledge Assets Empowerment Training Integrity Management Fraud Employee/Theft/Fraud Illegal Acts Resource Misuse Ethics Brand Image Tone At The Top Reputation Human Resources Availability of Skilled Staff Perf/Rewards Alignment Workforce management Communications Morale and Job Satisfaction Leadership Competitors IP Protection We missed it. Strategic Planning Capital Investment Corp. Organization R&D Financial Strategic Operations Safety Environmental Compliance Govt. Compliance Reliability Operating Costs Sales and Marketing Contract Compliance Capacity Planning Engineering Repair Services Information Technology Access Availability Information Relevance Continuity System Integrity Technology Infrastructure Tech Development & Integration IT & Business Strategic Alignment Outsourcer Management Cost Control Risk Management - Insurance Risk Management - Interest Rates Risk Management Foreign Exchange Investments Financing Tax Strategies Debt Compliance Acquisitions Divestitures/Closures Manufacturing Strategy Functional Location SG&A Capital Projects Quality Customer Credits/Rebates Inventory Management Procurement Lease Compliance Liquidity/Cash Flow Credit/Bad Debts Financial Planning & Modeling Accounting & Reporting SEC Reporting Management Reporting Statutory Reporting Financial Forecasts Tax Accounting & Reporting Performance Management Analyst Communications Suppliers Supply Pricing Quality Relationships Billing Logistics Technology Product Obsolescence Source: N. Marks

20 Oversight Ex: Top 15 of ERM-related Risk Management Risks, York University 30 Customers 1. Customers Government sales Policy Risk. Suppliers Human 9. Financial Organization Structure Risk. Supply Resources Risk Management - Insurance Planning Reliability Relationships Availability of Skilled Staff Perf/Rewards Alignment 2. Contracts Competitor Risk. Workforce management Reputation Information Technology Risk Management - Interest Rates Risk Management Foreign Exchange Investments Financing Standards and Communications Expectations Morale and Job Satisfaction Tax Strategies Customer viability Leadership Strategic Risk. Debt Compliance 3. Change Readiness Salary Inflation Risk. Lease Compliance Innovation Strategic Planning Acquisitions Liquidity/Cash Flow Knowledge Assets Capital Investment Divestitures/Closures Credit/Bad Debts Empowerment Corp. Organization Manufacturing Strategy Rating Training R&D 11. HR Functional Academic Location Risk. Financial Planning & Modeling Agencies 4. Capital Availability Risk. Maxtor credit Integrity Operations Accounting & Vendor terms Safety SG&A (guarantees, 12. Reputation Erosion Reporting Risk. Management Fraud Environmental Compliance Capital Projects 5. advance Leadership Risk. Govt. Compliance Quality SEC Reporting payments) Employee/Theft/Fraud Reliability Customer Credits/Rebates Operating Costs Inventory Management Management Reporting Illegal Acts Sales and Marketing 13. Strategic Procurement Labour Statutory Relations Reporting Resource Misuse Contract Compliance 6. HR Non-Academic Risk. Capacity Planning Financial Forecasts Ethics Engineering Risk. Tax Accounting & Reporting Repair Services Brand Image Performance Management Tone At The Top Analyst Communications 7. Student Satisfaction Risk. Environment Political Legal Regulatory Business Interruption ExternalTheft/Fraud/ Illegal Acts Business Practices Competitors IP Protection 8. Communications Risk. We missed it. Access Availability Information Relevance Continuity System Integrity Technology Infrastructure Tech Development & Integration IT & Business Strategic Alignment Outsourcer Management Cost Control Pricing Quality Relationships 10. Performance Measurement 14. Enrolment Targets Risk. 15. Resource Allocation Risk. Billing Logistics Technology Product Obsolescence Copyright Copyright 2011 Richard Leblanc. Source: All N. rights Marks reserved.

21 Oversight Internal Controls of Risk Management, Tools to Customize continued 31 Segregation of duties Restricted areas Approvals Reconciliations Record retention Safeguarding and asset accountability Management override Manual controls Data Security IT, inventory and other controls; Areas of vulnerability and fraud schemes; Source: Source: R. Basel Leblanc, (May Assessment 10), Europe methodology (Dec 10) and for FDIC audit (Feb committees 11) Copyright Copyright 2011 Richard Leblanc.

22 Oversight Internal Comprehensive Controls of Risk Risk Management, Your Governance Tools to continued Customize 32 ERM Risk Register Template University Strategic Direction University Strategic Directions Board of Directors Segregation of duties Inherent Risk Risk Overall I.R. Residual Risk After Overall R. Before Response Risk Restricted areas Rating Management Response CEO R. Rating Strategy & Before After Points of Proba Response Reliance Probability Response Impact Impact S-Ox -bility Dodd-Frank Approvals Basel/King IT Reduce Infrastructure Likely Major ICT Possible Major will not Reconciliations Foundational support Document University ITS Unit Plan initiatives Record retention? Data Use Policy (p. Audit 9) Comp. Etc. Nom/Gov. Committee Safeguarding Committee and asset Committee accountability Risk Etc. (or equivalent) (or equivalent) (or equivalent) Management override ICFR Critical importance to the ICNFR success of the University in meetings its High financial Manual and non-financial controls goals CFO SHRO CS, GC CRO Important Data but not critical Security to the success of the University in meetings Moderate its financial and non-financial goals IT, inventory Committee and Charter other Coverage controls; Risk does not have a material bearing to the success of the Low Areas of vulnerability University in meetings its financial and fraud non-financial schemes; goals EA CC GA, SF IA Material financial and non-financial business risks & IC reporting Source: Basel Source: (May Source: 10), R. University Leblanc, Europe (Dec Audit of Saskatchewan 10) Committee and FDIC Review (Feb 11) RAP 32 Accountability & Action Required Complete plan Develop & implement college & admin unit plans including contingency & recovery Copyright Copyright 2011 Richard Leblanc.

23 Proper Internal Audit and Controls 33 n Independent; n Compensation; n Stature / Hiring / Firing; n Work plan approved; n Link to Audit Committee ~ Executive Sessions; n Gross to residual risk for all material business risks; n Testing design and effectiveness of all internal controls;

24 Weaknesses of Risk Management 34 n Risk takers & compensation; n Non-financial risks and ICNFR: operations, technology, reputation, health, safety, security; n Management knows the risks; Internal Assurance MGMT Certif. External Assurance n Board: Integrated Mapped Assurance n Protect Internal Assurance; Top Risk Families n Complete, coordinated, independent assurance;

25 Comprehensive Risk Governance 35 Board of Directors S-Ox Dodd-Frank CEO Basel/King EA CC GA, SF RAP Audit Committee (or equivalent) Comp. Committee (or equivalent) Nom/Gov. Committee (or equivalent) Risk IA CFO SHRO CS, GC CRO Committee Charter Coverage Material financial and non-financial business risks & IC reporting Copyright 2011 Richard Leblanc.

26 Risk Governance ~ Best Practices 36 n Formal documented risk appetite framework, with tolerances, registers and accountabilities; n ERM that is integrated, dynamic and culturally embedded; n Oversight functions compensation determined independently from business units, based on achievement of objectives of functions; no undue influence / conflicts; n Risk function has input into performance metrics and compensation decisions of senior management; n Third party reviews of risk, oversight functions; n Crisis, contingency, scenario planning to Board; Copyright 2011 Richard Leblanc.

27 Risk Limits, Roles, Responsibilities, Implementation 37 n Risk Appetite Framework: all in, in writing, board approved; n Risk Appetite Statement: qualitative and quantitative; n Risk Limits: specific, containing, constraining, clear, controlled, reported, assured, in real time; n Implementation: shared, communicated, tested, accountabilities, flowing from strategy, monitoring and reporting; n New roles and responsibilities: Board, A/R Committee, CRO, CAE, Chairs and CEO, CFO, line and unit leaders; n Risk expertise on board and committee coverage; Copyright 2011 Richard Leblanc.

28 Another example: IT Risk 38

29 CEO Social Succession Media, IT Governance planning Trends 39 n Our entire lives are on connected to the internet (FBI Director); n Social media #1 activity on the web (HuffPo, BCooper); n Average user picks up their device 1,500 times a week (MailOnline), and reaches for it at 7:31am each morning; n Average smartphone owner uses their phone for three hours, 16 minutes each day; n Only 13% of companies have BYOD policies (EY, 2014); n < 50% companies use encryption techniques for devices; n 38% of companies do not address cloud risks;

30 CEO Social Succession Media, IT Governance planning Trends (cont d) 40 n Cybercrime: ~ $9-21 trillion possibly at risk (NACD report); n Cybercrime constitutes greatest transfer of wealth in history (NSA Chief); n Head of FBI, James Comey: impossible to count. The internet is the most dangerous parking lot imaginable. ; n There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese. n Only 56% of companies conduct penetration tests, and 19% fail to test at all (EY, 2014); n Cyber criminals are at world cup level, and we are at highschool soccer level (Head of FBI analogy);