a convergence of enterprise risk management and ethics...
TRANSCRIPT
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.
Main Line Association for Continuing Education
A Convergence of Enterprise Risk Management and Ethics Monitoring Programs September 19, 2013
Page 2 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
Enterprise Risk Management Basic Risk Factors Contributing to Catastrophic Consequences
Agenda • ERM and Ethics Primer • Inertia of ERM Programs • Ten Basic Risk Factors • Bhopal Disaster & Recent Events • Lessons Learned • Instituting an ERM Program & Incorporating Risk Factors • Instituting an Ethics Monitoring Program
Page 3 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
What is ERM?
Enterprise Risk Management is a process to identify, assess and mitigate risk.
“… a process, effected by an entity's board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity,
and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Page 4 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Recognized Frameworks
COSO ERM 2004 Open Compliance & Ethics Group (“OCEG”) ISO 31000 National Association of Corporate Directors King Report (South Africa) Cadbury and Turnbull (UK)
Page 5 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Recognized Framework – Basel II & III Accords
Minimum Capital
Requirements
Supervisory Review
Market Discipline
Basel II & III Accords
Capital Reserves
The goal is for banks and other financial institutions
to set aside capital in the event of a market collapse.
Credit Risk Operational Risk
Market Risk
Regulatory Capital Computation
Systemic Risk Concentration Risk
Image & Reputation Risk Liquidity Risk, etc.
Investors Depositors
The Market in General
Page 6 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
WHAT IS ETHICS?
Ethics is the study of standards of behaviour which promote human welfare and
“the good”.
Business ethics is the study of standards of business behaviour which promote human
welfare or “the good”.
Ethics is about how we trust each other, even those we do not know.
Page 7 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
WHAT IS ETHICS?
Ethics is about how we trust each other, even those we do not know.
Ethics is not... Feelings Religion
Conscience Following the law
Following what everyone else does
Page 8 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
Defense Industry Initiative (“DII”) Effective Ethics and Business Conduct Program
Page 8
Page 9 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
Institute of Internal Auditors – View of Ethics
A strong ethical culture is foundational to effective governance.
An ethical culture is created through a robust ethics program,
setting expectations for acceptable behaviors in conducting business within the organization and with external parties.
It includes: • Effective board oversight, • Strong tone-at-the-top and senior management involvement, • Organization-wide commitment, • Customized code of conduct, • Timely follow-up and investigation of reported incidents, • Consistent disciplinary action for offenders, • Ethics training and communications, • Anonymous incident reporting system, and • Ongoing monitoring systems.
IIA Standards requires that the internal audit activity evaluate the design, implementation, and effectiveness
of the organization’s ethics-related objectives, programs, and activities.
Page 10 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Continued Misunderstanding of ERM
Surveys detail inconsistencies Individual beliefs vs. Collective understanding “I get, but they don’t.”
Page 11 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Continued Misunderstanding
“I get, but they don’t.” ERM continues to be elusive Frameworks are principles based Lack of universal understanding Amorphous and arcane
Page 12 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Integrity and Ethical Values
A core principle of ERM Ageless application Foundational concept
Page 13 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Cultures Not Wanting to Know
Integrity and Ethical principles deal with problems head-on An “open door” policy, yet managers are not approachable
Page 14 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Creating a Culture that Cares
Who cares? Why care? Leadership must show they care.
Page 15 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Results of Recent Polling
Current State of Enterprise Risk Oversight – July 2012 North Carolina State University, Poole College of Management & AICPA
618 Responses from CFOs or equivalent senior positions
62% believe volume and complexity of risks has significantly changed in past 5 years 68% have been caught off guard (somewhat to extensively) by an operational surprise in past 5 years 23.4% have “complete” ERM processes in 2012 (vs. 8.8% in 2009) 46% of largest, public organizations have “complete” ERM process vs. 10% of not-for-profit in 2012. Nearly 40% have no ERM process in place. 66% of organizations experience pressure from Board or regulators for more information about risks. Nearly 50% have a risk committee in 2012 (vs. 22% in 2009) – over 70% of large, public & financial services 38% of organizations maintain inventories of risk in 2012 (vs. 19% in 2009) 50% report risks at least annually to the board in 2012 (vs. 26% in 2009) Not-for-profits report fewer than 5 risks to the board (vs. large, public report between 5 and 19 risks) Under 33% articulate “appetite” and “tolerance” of risks
Page 16 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors
Operational Risk Management: a case study approach to effective planning and response by
Mark D. Abkowitz Extends back 30 years or so 3 Types of hazard - Natural disasters, man made disasters, terrorism Many events may be familiar All relate to what is happening today
Page 17 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors 1. Design & Construction Flaws
• Designed to withstand forces • Otherwise, prone to failure • Faulty components, not assembled properly
2. Deferred Maintenance
• Continuous operation vs. Shut down • Procrastinate especially when not malfunctioning • One or multiple component failures
3. Economic Pressures
• Limited funding, tight budgets, strict cost cutting measures • Shoddy workmanship, lower quality materials, eliminating backups
4. Schedule Constraints
• Eliminating important details • Parallel tasks vs. Sequenced tasks
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 18 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors 5. Inadequate Training
• Training not viewed as productive • Contributes to mistakes
6. Not Following Procedures
• Repetitive activities give way to complacency • Deviate from strict protocols • Neglect or invention of new ways to accomplish tasks • Others assume protocols are being followed
7. Lack of Planning and Preparedness
• Little forethought to the variety of scenarios, magnitude, alternatives, update
8. Communication Failure
• Inter- and Intra- organizational communication breakdown • Communication breakdown to the public
Operational Risk Management:
a case study approach to effective planning and response by
Mark D. Abkowitz
Page 19 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors
9. Arrogance • Overconfidence with an experienced person • Individuals driving to succeed without regard for others • Culture with a fear of reprisal to those who complain • “I can handle anything.” • Individual and corporate arrogance
10. Political Agendas
• Micro and macro levels of politics • Developing countries seeking elevated status • Relaxed safety standards
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 20 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Basic Risk Factors and Events
Design & Construction
Flaws
Deferred Maintenance
Economic Pressures
Schedule Constraints
Inadequate Training
Not Following Procedures
Lack of Planning & Preparation
Communica-tion Failure
Arrogance
Political Agendas
Hyatt Regency X X X X X X Bhopal X X X X X X X X X Chernobyl X X X X X X Exxon Valdez X X X X X X X Challenger/ Colombia X X X X X X X X
Oklahoma City X X X X Aum Shinrikyo X X X X USS Cole X X X X X X World Trade Center X X X X X London X X X X
Edmund Fitzgerald X X X X X X X Mount St. Helens X X X South Canyon X X X X X X Sumatra-Andaman X X X X Hurricane Katrina X X X X X X X
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 21 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal, India
Situation - Bhopal, India - Union Carbide Corporation (UCC) and subsidiary (UCIL) - December 2, 1984, 11:30PM local time - 40 tons of methyl isocyanate (MIC) accidentally released - 3,800 fatalities - 11,000 immediate injuries - Perhaps 15,000 subsequent deaths from residual MIC exposure - 578,000 injured
Five Past Midnight in Bhopal By
Dominique Lapierre & Javier Moro
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 22 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal, India
Provided by Google Maps
Page 23 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal, India
Provided by Google Maps
Page 24 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal, India Series of Events 1934 Union Carbide enters India
• India’s lax safety culture
• low labor costs
• untapped markets in India
Green Revolution – 60’s and ‘70’s
•Rising crop production
•More pesticides
•1969 UCC and UCIL establish Bhopal factory and 13 others
• Ideal location
• Neighbor-hoods grew around the plant
December 2, 1984, 11:30pm
•132 gallons of water seeped into MIC storage tank
• Reacted with MIC
• 40 tons of vapor leaked
•Workers eyes burning, notify supervisor
12:20pm
• Supervisor takes action
• 12:50am first toxic alarm sounded in plant
• Spraying water was deemed futile
• Workers flee upwind
• 2am public alarm is sounded
• Residents awoke in distress
Gas plume
• Gas spreads 5 miles down wind
• 8 square miles
• 900,000 people affected
• 3,800 fatalities
• 400,000 injured or disabled
• Thousands of livestock destroyed
• Tree defoliation
Methyl Isocyanate “MIC” - a highly reactive, extremely hazardous substance;
is known to cause severe damage to the lungs, digestive tract, skin, reproductive organs, and eyes - even under short-term exposure Five Past Midnight in Bhopal
By Dominique Lapierre & Javier Moro
Operational Risk Management:
a case study approach to effective planning and response by
Mark D. Abkowitz
Page 25 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal, India Series of Events December 4, 1984
• UCC headquarters notified
• UCC downplays toxicity of MIC
• Internal documents describe deadly potential
• Warren Anderson, CEO, travels to site and arrested
• Anderson posts $2,000 bail and returns to the USA
UCC and India Government 1984 - present
• Indian government sought $3.3 billion in damages in US court
• Claim was dismissed • 1989 settlement for
$470 million, no indication of criminal or civil wrongdoing
• most victims did not receive compensation until 2009
• 1999 DOW subsumes UCC
• 2003 Warren Anderson, culpable homicide
Today
• 15,000 deaths from residual exposure
• several hundred thousand still affected
• Groundwater contains high concentrations of toxic chemicals
• Stocks of hazardous chemicals remain abandoned at facility
Five Past Midnight in Bhopal By
Dominique Lapierre & Javier Moro
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 26 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Bhopal Failures
UCC contends sabotage. Workers believe water seeped into the tank as part of a routine cleaning procedure. Unclear if water seeped due to inability to follow procedure or inadequate training.
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 27 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Risk Factors Contributing to Bhopal Disaster
Design and Construction Flaws
• Gas scrubber to capture released MIC was designed for ¼ of the volume • Flare tower designed for less capacity • Water curtain was too short • Storage tank was filled to over-capacity, overflow tank was already full • 30 day supply of MIC kept on hand – dangerous oversupply
Deferred maintenance
• Water was unable to drain due to clogged bleeder lines • Leaky valves allowed water into MIC tank • Temperature and pressure gauges were deemed unreliable • Refrigeration for MIC not functioning, results in overheating • Temperature alarm did not function
Economic pressures
• Bhopal plant was never profitable with MIC production • Over half of workforce eliminated, maintenance reduced to 2 prior to accident • Remaining workforce – job insecurity, low wages, performed tasks they were not trained • Deferred maintenance, inferior components, some components shut down
Inadequate training
• Workers unaware of their responsibilities
Not following procedures
• Gas scrubber was shut down for maintenance • Flare tower shut off for maintenance
Lack of planning and preparedness
• No indication of any formal emergency response plan • Residents fled to the worst areas • UCC did not inform local hospitals of chemicals used at the plant
Communication Failure
• Local attorney threatened legal action for lax safety in 1983 • UCC’s hands off policy – inadequate communication of dangers • Operating manuals in English vs. Hindi, local language.
Arrogance • UCC Audit Report contained 60 hazards, 30 considered major, 11 concerned MIC, and significant likelihood of a major release • Report and other warnings were not addressed • An “understanding” that safety would not be enforced
Political Agendas • Identical plant in West Virginia, similar issues were addressed. • Economic development was India’s highest priority.
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 28 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Accidental Drowning
May 28, 2011 3 ½ years old Design flaw? Economic Pressure? Inadequate training? Not following procedures? Lack of planning and preparedness? Arrogance? Political Agendas?
Page 29 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Penn State
Sacred Football Program Economic engine of the University and Athletic Program Beloved Coach (living Saint to many, curmudgeon to some) Design flaw – too old to lead football program? Inadequate training – see something, say something. Not following procedures – University, police, State Attorney General. Lack of planning and preparedness – the problem lingered for years. Communication – who said what to whom, and when? Arrogance – minors were in great danger Political agendas – you bet!
Page 30 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors – Lessons Learned
Risk factors work together – disastrous consequences
Political agendas – significance cannot be underestimated
Communication failure in every instance irrespective of cause
Arrogance – far more significant than previously imagined
Take planning and preparedness seriously – it should never be shortchanged
Lack of uniform safety standards across different nations – uneven risk playing field
Economic pressure is a chronic problem “Luck” can change fortunes - either way
Not following procedures – in every man made accident
It usually takes a disastrous event to convince people
Design & construction flaws – the bane of man made accidents
Risk is unavoidable in life – so identify and prioritize
Operational Risk Management: a case study approach to effective planning and response
by Mark D. Abkowitz
Page 31 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM Ten Risk Factors In the Context of ERM
Survey of Risk Factors Design Flaws? Deferred Maintenance? Economic Pressures? Schedule Constraints? Inadequate Training? Not Following Procedures? Lack of Preparedness? Quality of Communication? Arrogance? Political Agendas?
C-Suite aka “Bridge”
Staff aka “Engine Room”
Identify “gaps” Develop mitigating actions
Proprietary Information of BDO USA, LLP
Reproduction prohibited without written consent
of BDO USA, LLP
Page 32 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Methodology Used in Evaluation of Ethics
Page 32
Institute of Internal Auditor’s Evaluating Ethics-Related Programs and Activities, June 2012. The IIA provided a compliance and ethics program maturity model to be used as a guide to evaluate ethics programs.
Page 33 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Code of Ethics
Page 33
Page 34 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Culture and Consistency
Page 34
Page 35 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Awareness
Page 35
Page 36 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Structure and Accountability
Page 36
Page 37 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Process Automation and Integration
Page 37
Page 38 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
IIA Attribute - Goals and Metrics
Page 38
Page 39 MACE – Convergence of ERM and Ethics Monitoring Programs – September 19, 2013
ERM and Ethics – Final Closing Thoughts
Page 39
“Risk is unavoidable in life – so identify and prioritize.” Mark D. Abkowitz “A strong ethical culture is foundational to effective governance.” The Institute of Internal Auditors
Page 40 Institute of Management Accountants – November 16, 2012
John McLaughlin, CPA Partner BDO Risk Advisory Services Leader [email protected] 1.215.636.5665 (o)