36762_Bridging Risk-IMP-4PRINT.indd

www.pwc.com/au
If you would like more information on any of the following topics:
•
Internal controls
•
Risk and compliance culture
•
Sustainable internal controls processes
•
Simplification of controls and cost reduction
•
Benchmarking your controls effectiveness
•
Improving the quality of your internal controls information
Bridging the risk and
control information gap
Please speak to your PricewaterhouseCoopers contact or any of the following:
Adelaide
Melbourne
Sydney
Kim Cheater
Chris Billington
Merran Dawson
Partner
(08) 8218 7407
[email protected]
Partner
(03) 8603 3614
[email protected]
Partner
(02) 8266 2959
[email protected]
Mike Bridge
Mark Gilbraith
Partner
(03) 8603 3652
[email protected]
Partner
(02) 8266 7522
[email protected]
Brisbane
Chris Johnson
Partner
(07) 3257 8570
[email protected]
Perth
Simon Ford
Partner
(08) 9238 3554
[email protected]
Robin Low
Partner
(02) 8266 2977
[email protected]
Richard Mirabello
Partner
(02) 8266 2311
[email protected]
© 2006 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refer to PricewaterhouseCoopers
Australia or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the
network, each of which is a separate and independent legal entity.
This document is provided by PricewaterhouseCoopers as general guidance only and does not constitute the
provision of legal advice, tax services, investment advice, or professional consulting advice of any kind. The
information provided herein should not be used as a substitute for consultation with professional tax, accounting,
legal or other competent advisers. The application and impact of laws can vary widely based on the specific facts
involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in the
information presented herein. Before making any decision or taking any action, you should consult a professional
adviser who has been provided with all the pertinent facts relevant to your particular situation.
6 l PricewaterhouseCoopers Bridging the risk and control information gap
WL36762 / 07-06
Liability limited by a scheme approved under Professional Standards Legislation.
“At the bank, when an issue is raised, judgement is exercised, it is rated, a
completion date is set, and responsibility is apportioned. Over a period you can
build up a view as to how many issues, how significant are they, where they are,
and whether they are they being dealt with. I think that is fabulous for a controls
posture and many organisations don’t do that.
The better you do that, the better it is because you can then show that to the
board … there are 963 issues, of which 15 are very serious, 400 are serious, 500
no one really cares about but they have got to be fixed, and you can look over a
period of time at the total company or business units, and get a feel for the number
of issues, whether they are getting better or worse, how many new ones are
coming on, how many are coming off. That is where I think the value lies. [My other
directorship] doesn’t have that at all. What do they do? They write tomes, tomes of
internal controls issues, which you just can’t physically keep up with. So I am going
to convert [that company] to the bank’s methodology.”
- Director of several Australian public companies, including a bank.
Conclusion
1
2
3
4
5
Be clear
about what
matters
Choose
relevant
indicators
Cover
the whole
business
More
analysis,
less data
Seek
assurance
The key message is that investing in the design of the risk and control framework
and the related assurance framework can provide boards and senior managers with
confidence in the information they are receiving and relevant insight into the business.
Make sure the required information is being gathered, that it is predictive as well as
historical, it reflects the end-to-end process, it is properly analysed and then escalated
to the appropriate level for actions (according to the risk tolerance of the organisation),
and that assurance is sought for further comfort.
B l PricewaterhouseCoopers Bridging the risk and control information gap
1
PricewaterhouseCoopers Bridging the risk and control information gap l 5
4 More analysis, less data
In most cases, the underlying reasons why things go wrong are not the intentional
breach of a limit or knowing failure to follow regulatory requirements. The causes are
often deeper and there can be a range of factors, for example:
• staff are not properly trained or lack appropriate experience
• there is a lack of monitoring or supervision
• processes are not clear or are not designed appropriately
• responsibilities are not clear
• systems are not aligned to the required processes
• the ‘wrong’ behaviours are rewarded.
The list can go on. Generally, there are a number of risks, issues and incidents which,
when taken together across the business or within an area of the business, are a strong
indicator of the underlying problem that requires attention. This type of analysis, if done
routinely and monitored, can be very valuable in heading off potentially larger problems
which may not be apparent without connecting the dots.
A large financial institution issued an incorrectly calculated price to the market.
While initially attributed to incorrect advice from the tax department, on further
investigation it was discovered that:
• no one ‘owned’ the end-to-end process (no end-to-end accountability)
• no one was responsible for escalation of a price change (no set change
tolerances requiring escalation)
• the incentive scheme rewarded those who met the deadline, not those who
found problems (no alignment between controls and reward structures)
• the underlying data had not been ‘backed up’ and the originals were overwritten
the following day (no audit trail or secure pricing history)
• the management meeting to review prices was poorly attended and those who
could have asked the questions were not there (poor oversight by management).
Many if not all of these contributory factors could have been avoided.
Many company directors are surrounded by a sea of corporate
governance data yet lack the quality, well organised information they
need to fulfil their duties.
A recent research study by the Economist Intelligence Unit, completed
on behalf of PricewaterhouseCoopers, found that a majority of directors
and senior managers in the Australian corporate community are
frustrated with the value and volume of information they have to
deal with.
In the survey, 42% of respondents said the information they receive on internal controls
lacks comparability while 33% said it was incomplete. With some directors measuring
committee papers in inches, 23% said the information they receive is too detailed.
The research also found that after an extended period of implementing compliance and
governance-related frameworks, there is a feeling of ‘governance fatigue’. These efforts
have delivered progress but have not always been complementary, creating undue
complexity and resulting in information overlaps and gaps.
Many organisations are now facing new investments to gain efficiency and effectiveness
from control structures. They are looking to reduce quantity in favour of quality: more
succinct, relevant and trustworthy information that enables better oversight. They also
want the information to be ‘rich’ – showing what is really happening in the business.
While reducing the cost and complexity of controls is the domain of management,
we believe boards can play a vital role in improving the quality of internal controls
information. Five simple, yet complete, steps outlined in this paper are:
1. Be clear about what matters: Understand what risk and control information
is important
2. Choose relevant indicators: Know the right indicators, particularly early
warning signs
3. Cover the whole business: Design processes that cover the whole business
5 Seek assurance
External and internal audit are critical in providing assurance across the whole business.
The areas of audit focus can be aligned to the framework that has been agreed – the
risk tolerance, the escalation framework, the completeness of business reporting
(processes and company-level controls), the quality of analysis and any other aspects
that have been agreed.
By clearly setting up the requirements and expectations of the business and aligning the
audit areas of feedback to provide assurance that the requirements and expectations
are being met, the potential information gap is designed to be closed.
4. More analysis, less data: Discover underlying sources of problems
5. Seek assurance: Align audit areas to business needs and expectations.
With continued effort, we are confident organisations can build on the considerable
investments they have already made in internal controls for the benefit of all
stakeholders, from management and boards to investors, customers and regulators.
“Let me just put the other side of the question – do directors
need help to understand the control posture of the organisation?
Answer: Yes. I think a lot of people are struggling.”
– Director of four ASX Top-100 companies
4 l PricewaterhouseCoopers Bridging the risk and control information gap
PricewaterhouseCoopers Bridging the risk and control information gap l 1
Leading organisations have begun the journey to indentify the correlation betweeen
these indicators and ‘what has gone wrong’ and are increasingly using the information
to stimulate proactive discussions in the affected areas.
Strategies to address the gap
The PwC strategies to address the risk and control information gap are based on our
view of best practice. The strategies proposed are illustrated below, and each of these
is explored further in this publication.
1
2
Choose
Be clear relevant
about
indicators
what
matters
3
Cover
the whole
business
4
More
analysis,
less data
5
Seek
assurance
At a large insurance company, the
company’s head of group risk and
compliance has developed a behavioural
model articulating desired practices
that, if evident, constitute proactive
management of risk.
From the model, the company has
developed a series of questions that
have been incorporated into the annual
staff survey on employees’ attitudes to a
range of matters. The topics include how
employees feel about communicating
‘bad news’ within their business group,
and the effectiveness of detective and
recovery controls. The company has
developed a knowledge store with
10,000 datapoints from which it can
refine strategies to identify lead risk
indicators. The survey data is used to
determine the relationship between
losses and cultural and behavioural
factors, and identify risk ‘hotspots’
within the organisation.
3 Cover the whole business
1 Be clear about what matters
For many companies it is unclear what risk and control information is important.
However, those companies that have analysed their risk tolerance are much better
able to focus on and communicate their priorities. Articulation of risk tolerance is not a
one-off exercise, and clarity about what the board and senior management expect to
receive is critical. This can be expressed in different ways, but is generally expressed
in terms of control failures, issues or risks that have the potential to have an impact
above tolerance levels across the key areas that matter to the organisation. These can
include, for example, financial, people, customers, operations, regulatory compliance
and reputation.
2 Choose relevant indicators
Most companies monitor breach and incident statistics and customer complaints (what
has gone wrong). While it is important to monitor these within the parameters of an
escalation framework, there can be very good predictive indicators which can provide
early warning of the potential for problems.
Some of the best indicators can be:
• staff turnover
• absenteeism
• staff engagement
• customer feedback
• extent of business change
• quality of relationships with regulators.
2 l PricewaterhouseCoopers Bridging the risk and control information gap
One of the key concerns, particularly in complex businesses, is what don’t we know?
This can lead to questioning and investigations based on a need to test the system.
While it is critical to probe and question, it is also important to know that the processes
for monitoring and reporting on the business are designed to be complete.
There are two aspects to this:
• designing the monitoring and reporting processes to cover aspects that have been
agreed to be important (the risk tolerance)
• covering the whole business, especially where processes may cut across functional
responsibilities or geographic regions.
The cost versus the benefit of implementing Sarbanes-Oxley has been widely criticised.
However, one of the benefits companies have found has been the reconnection with
core business processes – understanding how processes are designed to work and
how they are actually operating in practice. It has also provided a major reinforcement
of responsibility for processes and controls. Without undergoing the cost of SarbanesOxley style testing programs, understanding the end-to-end process and allocating
responsibility for risk and control will deliver benefits.
The other dimension to consider is the pervasive, company-level controls that operate
across the business. These controls are often driven by policy in areas such as codes
of conduct, HR practices (recruitment, remuneration, performance management),
delegations and IT governance. Again, understanding how these policies or requirements
are applied in the business is a critical indicator of how risk is being managed.
Finally, adopting a holistic view of risk and control management urges organisations
to recognise that a focus on process and controls is not sufficient to drive effective
behaviour. There is now a growing realisation that successful business outcomes are
dependent on consistently appropriate workplace behaviour which is driven by widely
shared and reinforced perceptions, values and attitudes associated with risk and controls.
PricewaterhouseCoopers Bridging the risk and control information gap l 3