The Next Frontier for Internal Controls Beyond SOX 404 Keynote Luncheon Presentation

Transcription

1 THE CONFERENCE BOARD OF CANADA S WESTERN CORPORATE GOVERNANCE FORUM 2005 Shaping Governance Controls to Fit Your Organization Calgary, Canada The Next Frontier for Internal Controls Beyond SOX 404 Keynote Luncheon Presentation Ron Lalonde, CIBC Senior Executive Vice-President, Chief Administrative Officer and Chief Privacy Officer Friday, April 8, 2005

2 1 Setting the stage commitment to good governance Good afternoon everyone. I am delighted to have this opportunity to return once again to the to talk about our continued commitment to building a strong corporate governance culture across our organization. Last year, my colleague and CIBC s Chief Risk Officer, Wayne Fox, spoke at this Forum about CIBC s two-year build of our management strategy for corporate governance. This covered risk, reputation, compliance and, of course, the Sarbanes-Oxley Section 404 (SOX 404) requirements for financial reporting. Since those remarks, CIBC has moved forward in implementing a more formalized and structured control and governance plan across the organization that has enabled us to be one of the first North American public companies to meet the management reporting requirements of SOX 404 as well as to set in place a framework for managing other internal controls more comprehensively.

3 2 Specifically, I ll be speaking today about CIBC s decision and long-term commitment to voluntarily go beyond the Sarbanes-Oxley model of financial reporting and control in order to create a more complete and overarching framework of governance and control. I will share with you the progress CIBC has made in meeting new and evolving demands from regulators. As well, I will describe for you the approach that we are taking at CIBC to ensure not only full and ongoing compliance, but to ensure that we have set our own high standards and have put in place an appropriate organizational structure that will enable us to forge a path to and be ready for - what we believe will be the next frontier in governance and control. From all of this, I hope to provide you with some practical insights into a few best practices and impart to you some of our lessons learned so that you can forge your own paths. Background current regulatory and business environments Like other organizations around the world, CIBC has responded to the evolving demands of a changing business environment. With increased legislation and regulatory scrutiny, the bar has been raised in many areas.

4 3 Businesses are faced with the ongoing requirements of the US Sarbanes-Oxley Act, section 404 (SOX 404) and its Canadian equivalent, Bill 198, which represent some of the most sweeping legislation and set of securities enhancements seen in decades. CIBC, as a US securities dealer, is also expected to meet the new market surveillance guidelines adopted by the National Association of Securities Dealers (NASD). And financial institutions have additional responsibilities in responding to the international Basel II framework, which requires linking regulatory capital with the risk profile of their businesses. A strategy of risk reduction Our business strategy at CIBC has been to reduce earnings volatility and risk, while aggressively growing our core banking businesses by becoming the leader in client relationships. CIBC has made dramatic improvements in our risk profile. We have shifted capital so that our Retail and Wealth Management businesses now have more than 70% of the bank s capital. Our Wholesale Banking business has done very well under tighter risk controls and a reduced capital base. Our corporate loan and merchant banking portfolios are significantly smaller; our credit quality has improved and our capital foundation is strong.

5 4 Consistent with this strategy of risk reduction, we believe that risks in the areas of reputation, control and governance represent increasingly important risks to financial institutions. So we have also developed a comprehensive approach to managing these risks. Given a business strategy of focusing on client relationships, we believe that strong reputation and governance controls are essential to building a climate of trust with our clients. Going beyond Sarbanes-Oxley The new Sarbanes-Oxley regulations, and its Canadian equivalent in Bill 198 specify a rigorous set of documentation, testing and reporting requirements around controls relating to companies financial reporting. While these controls are unquestionably very important, we believe that there are many other controls that are just as important in the low-tozero tolerance environment where many of us live Controls to ensure compliance with the myriad of laws and regulations that we face Controls governing privacy commitments and Controls around operational processes where failure has the potential to result in material financial losses or reputational embarrassment. We believe that controls in all these areas represent the next frontier of requirements for financial institutions and maybe for many other public companies.

6 5 So, at CIBC, we took the decision to get ahead of these issues rather than wait and have to catch up as laws, regulatory requirements and market reputation evolve in these areas. An integrated approach to governance and control So let me review the components of our integrated approach to controls and governance at CIBC. First: The CIBC controls program is a corporate-wide initiative to document and test the significant internal controls across CIBC. The program has five interrelated subprojects: General Entity Controls, which examine the effectiveness of CIBC s entity level controls things like tone at the top, culture, and codes of conduct, as well as performance management processes and other bank-wide high level controls. Financial Process Controls, an evaluation of the reliability of our financial process controls. Our work during 2003 and 2004 in these two programs positioned CIBC to attest to the management reporting requirements of section 404 of the Sarbanes-Oxley Act a full year ahead of the originally scheduled reporting deadlines.

7 6 In fact, CIBC was the first financial institution in the world to achieve this attestation. The other two subprojects in the Controls program include: Legislative Compliance Management - a review of the effectiveness of our controls to ensure compliance with the many laws and regulations we are subject to and Operational Process Controls, to assess the effectiveness of the controls over our operations. In both areas, we are applying the same documentation and testing standards as we set for financial and general entity controls. Our work on operational process controls is nearing completion but we will continue our work on Legislative Compliance controls for some time. A fifth and foundational element of the CIBC controls program is the design and development of an Internal Controls Repository. This application when implemented, will provide CIBC with the ability to store, update and track control documentation and manage remediation plans across all of the control streams. Not an insignificant requirement, when you consider that our final control framework will have documentation, testing and remediation update data for literally thousands of individual controls, organized into lines of business and oversight responsibilities.

8 7 Separate from the Controls program we also introduced a number of other governance and control initiatives, which include: Global Reputation and Legal Risk where we developed and implemented a process to ensure ongoing sustainability in managing global reputation and legal risk, including training more than 37,000 CIBC staff. We introduced a new bank-wide policy to guide the management of all client transactions across the organization. Internally we established a senior committee to review escalated transactions; and provided employees with a confidential hotline where they can report any potential irregular business activities. Board and Senior Management Reporting where we redesigned the key reports to our Board and senior management, enhancing the information provided for effective governance and decision-making Board Renewal Plan where our Chairman developed and implemented a Board Renewal Plan that included the review and update of our Board mandates, including benchmarking them to leading practices and making them available online via our corporate website.

9 8 Compliance Review where we completed a review of our Compliance function and re-engineered the department and its processes to strengthen our internal controls over regulatory compliance, and Anti-Money Laundering where we updated our anti-money laundering initiatives and training for all employees and introduced advanced training to all US and Canadian employees working in specific business units who support or conduct cash transactions. Given their size and scope, some of these initiatives as well as those in the CIBC controls program were run as projects with dedicated project managers. We recognized early that sophisticated project management was required to meet the extremely tight deadlines we had set for ourselves. Building upon the COSO framework CIBC s control framework has been modeled on the internal control framework endorsed by the Committee of Sponsoring Organizations of the Treadway Commission commonly referred to as COSO, the industry standard.

10 9 We adopted the COSO model for a number of reasons. Not only is it the industry standard and one of the recommended models to help meet the SOX 404 requirements, more importantly, it provides a sound basis for establishing a system of internal control that ensures comprehensiveness and effectiveness if properly implemented. Ultimately the four fundamental management objectives that form the basis of the COSO framework will help us monitor whether: The high level strategic goals of CIBC are aligned with and support our entity s mission. The operations of CIBC make effective use of our limited resources. The financial reporting provided to shareholders and other external stakeholders is reliable and fairly presented, and The conduct and actions of CIBC s Board of Directors, executives and employees is in compliance with applicable laws and regulations. The framework also forms the basis for an ongoing attestation process by management that will affirm ongoing control in all aspects of the business. To-date, CIBC s investment in governance and control implementation strategies has surpassed $60 million. Add to this the time and human capital investment and you have an intense commitment no matter which way you measure it.

11 10 This commitment and investment has begun to be recognized with some tangible results. In fiscal 2004, we were pleased to receive external validation of the strength of our governance practices in several governance surveys and rankings. Received AAA+ rating in the 2004 Board Shareholder Confidence Index assessed by the Clarkson Centre for Business Ethics and Board effectiveness at the Rotman School of Management Tied for 11 th place with a score of 92/100 in The Globe and Mail s Report on Business Corporate Governance Ranking Scored in the 93 rd percentile overall, relative to global peers, by GovernanceMetrics International. Received a score of 93/100, tying for 11 th place in Canadian Business magazine s ranking of Best Boards. CIBC s strong governance performance also contributed to CIBC s inclusion once again in the Dow Jones Sustainability World Index in And in early fiscal 2005, CIBC was rewarded for its governance and control efforts with an improved credit rating from one of our key bond rating agencies. In its assessment, Dominion Bond Rating Service (DBRS) credited CIBC for its improvements in governance and control.

12 11 This immediate and tangible evidence of governance and control return on investment is not only attractive to shareholders and regulators, it helps to prove just how critical and influential a sound governance and control strategy can be. Challenges and lessons learned So, what were some of our challenges and lessons learned? At the risk of making a complete understatement, I need to emphasize that the rollout of an initiative of this scope and scale is not easy. While we exceeded our expectations, we encountered more than a few challenges along the way. Engaging all stakeholders to secure buy-in. We needed to convince business partners that this work was essential, on strategy, and would help us meet our vision of leadership in client relationships Coordinating efforts among separate project streams Managing resistance to change once theory turns into reality Ensuring framework and processes align with legislative and regulatory requirements (SOX, BASEL II) while supporting day-to-day management and measurement of operational risk Aligning and integrating technical applications Planning timing and rollouts with various assertion and reporting requirements

13 12 Recommendations for others To help your respective organizations meet with success, here are some recommendations or what we call internal control principles, to consider: Demonstrate a clear and supportive tone at the top Projects like this don t happen without that support Define key roles and responsibilities clearly Solicit input and buy-in and create a sense of ownership Invest (over invest) in planning, training, testing and communicating. I d especially emphasize the planning component. If we could start over, we d spend more time on planning to ensure smoother implementation Determine an appropriate pace but set the bar high Orient external resources to the culture and nature of your business so that work is conducted in a way that is right for your organization Create advisory teams but make sure everyone knows who is running the program Focus on sustainability to make sure that you preserve the value of the project exercise Recruit and retain key resources early to ensure retention and transfer of knowledge Recognize and reward the people that need to implement this difficult work. It s people that make change successful.

14 13 Governance and control sustainability So where do we stand on our efforts? Well, after more than a year of tremendous effort across the organization, the critical first phase of our governance and control work is now complete. Next comes the equally challenging second phase of ensuring our global governance and control work can be sustained over the long term. The combination of all of these initiatives remains a significant agenda for CIBC. Our governance and control initiatives represent many person-years of effort, many millions of dollars of execution cost, and critical objectives we simply must meet. To succeed and continue our leadership position, we remain committed to a delicate balance between discipline, flexibility, anticipation and innovation. Conclusion trust, teamwork and accountability At CIBC, our Governance and Control program is about building and deepening trust with our clients. While trust, teamwork and accountability are the core values at CIBC, being the leader in client relationships and having trusting relationships with those clients is the vision we strive to achieve every day and one that is fundamental to our future. Thank you for your attention. I d be pleased to respond to questions.