PHILIP A F MARSHALL C.A. F.C.A July 14th 2011
Establishing the Governance Strategy
of the Audit Committee
Identifying the performance drivers within the organisation’s intangible assets – Human Capital, Information Capital and Organisation Capital - to optimise the contribution of the role of the Audit Committee to the financial governance of the enterprise.
2
NO TOPIC
I Developing the strategic direction of the organisation 4
II Strategic Control Assurance Plan 10
III Business Process Management Best Practices 17
IV Culture and Context – Organisational Capital 27
THE AUDIT COMMITTEE’S GOVERNANCE STRATEGY MAP
3
Developing the strategic direction of the organisation and establishing its long
term goals and objectives. The governance role of the Board and
Audit Committee
4
Strategic Thinking Role of the Board Role Of Management
Collecting, analyzing, and discussing
information about the environment of the
organisation, the nature of competition, and
broad strategy design alternatives – different
views of customer value proposition, scope,
competitive advantage, and source of profit.
• Be an active participant in the strategic thinking process.• Bring an outside perspective• Test the consistency of management’s thinking.• Collaborate with management.
• Initiate the process of strategic thinking.• Set the agenda- pose the questions and issues.• Provide meaningful information.• Actively participate with the Board in the discussions.• Summarize the output of Board and management working together.
Strategic Decision-making Role of the Board Role Of Management
Making the fundamental set of decisions about
the business portfolio and business strategy
design.
• Provide input for management’s
decision making.
• Provide ultimate review and approval
on major decisions (resource
allocation, initiatives, portfolio changes)
• Make critical decisions• Develop proposals to the Board for critical directional decisions and major resource allocation.• Engage with the Board in its review of decisions.
ROLE OF THE BOARD/MANAGEMENT - REVIEW AND APPROVAL PROCESS - STRATEGIC DECISION-MAKING
Strategic Planning Role of the Board Role Of Management
Translating the critical strategic decisions into a
set of priorities, objectives, and resource
allocation actions to execute the strategy.
• Review core strategic plans presented
by management.
• Ensure understanding of the plans and
their potential risks & consequences.
• Comment and make suggestions on
plans, as appropriate.
• Approve plans.
• Develop plans, working with staff support and
operating management.
• Review plans to ensure consistency with
corporate objectives and the enterprise-wide
risk management process
• Present plans to the Board for review.
Copyright : Mercer Delta Consulting
: pafm: Adapted from Balanced Scorecard Collaborative Inc. P.MARSHALL Adapted from Balanced Scorecard Collaborative Inc.
STRATEGY MAPS – LEARNING & GROWTH PERSPECTIVEHow do we create
valuefrom intangible assets?
Learning & Growth Perspective
Process Perspective
Maximize the long termtotal return to shareholders
Expand RevenueSources
EnhanceCustomer
Value
ImproveCost Structure
Increase Asset Utilisation
Customer Value Proposition
Price Service Functionality Quality Availability Selection Partnership Brand
Product /Service Attributes Relationship Image
Operations ManagementProcesses
Processes that acquire and distribute products and services and integrate the supply chain
outputs
Marketing & SalesProcesses
Processes that identify unmet market needs and differentiate
with innovative product/services concepts
Customer ManagementProcesses
Processes that enhance customer value and are designed to manage
the customer experience
Enterprise Risk Mgmt Processes
Processes that identify enterprise risks and
proactively manage the potential risk events
Creating Alignment with Strategy Creating Readiness for Change
Productivity Strategy Revenue Growth Strategy Risk Management
Readiness for change - Align the Intangible Assets of an organisation’s with the strategic direction
1 Imbibe Values – performance and customer focus , teamwork: Create climate for action through alignment and empowerment.
2 Continuously build individual and organisation Competencies; Integrate IT in all business processes.
Financial Perspective
Customer Perspective
Human Capital Information Capital Organisational Capital+ +
• Applications• Databases – BI: KM
• Culture•
Leadership
• Knowledge Sharing• Teamwork
• Values• Skills
• Competencies • Systems / Networks/ Channels
• Business Process Assets
Intangible Assets
Governance Role of the Audit Committee ?
5
Adaptation Messrs Kaplan and Norton - BSCD Governance Strategy Map
Audit Committee Governance Strategy Map clarifies the areas of focus of the Audit Committee in contributing to the role of the Board
STRATEGY MAP - BOARD GOVERNANCE
Executive and Staff Oversight
Communications excellence. Ensure a teamwork culture and
knowledge sharing
Governance Processes re Staff Performance on mutually determinedStrategic objectives
Executive Succession Plans Workforce acquisition
and staffing plans
Enterprise Risk Mgmt
Information Security Management
InstitutionalisedRisk, Internal Control
and Integrity frameworks
Ensure disclosures onresidual risk are clear and
and reliable
Strategic Governance Outcomes
Board
Govern
an
ce P
rocesses
Sta
keh
old
er
Valu
eLearn
ing
&
Gro
wth
En
terp
rise
Con
trib
uti
on
Financial Oversight
Resource allocation basedon the entity’s Value
Chain activities ,
Financial Governance Covenants to Lenders
Compliance
Intangible Assets Value Drivers Industry/Customer Segments
Process Competencies Knowledge Management
Ensure readiness forchange and ability to execute
Performance Management BSCD Measurement
Assess Performance Drivers
Strategy options based on potential opportunities and
risk appetite exposure
Strategy Management
StakeholdersCommunications
Risk Management
Increase Profitabilityand Dividend Potential
Increased Value to
Shareholders
Organisation capabilities: Strategic profit management
Knowledge Management Design of Management Process
Good communications & teamwork across Board Committees and
in dialogue with top management
Information for Strategic Decision Making and Value reporting
Risk Management LeadershipRisk Management StructureEthics & Integrity frameworks
Increase Value Reported Sustainability Reputation & Trust
Monitoring, and reporting Outcome indicators
Strategic Alignment
• Strengthened Staff andManagement capability.
• Clearly defined performance accountabilities
Reputation, trust, and transparency.
Ethics institutionalised in the environment
Reliability in Financial Reporting and Value Created Reporting’
and ROI on Capital Spend
Talent Retention.Effective succession . Enterprise Capability
.
Board Governance Performance ● Effectiveness and efficiency of operations.● Reliability of financial reporting.● Compliance with applicable laws/regulations.
6
THE VALUE BASED VIEW OF STRATEGIC MANAGEMENT
VALUE DRIVER ANALYSIS
VALUE REPORTING
MANAGEMENT PROCESS RESIGN
VALUE ASSESSMENT Spread v. invested capital , by product
Scorecard
Economicprofit
Growth
Industry growth
Share of market
Returns
Operating margin
Asset intensity
Capital structure
Performance reward
Performance monitoring
Planning
Value goals
Budgeting
Issue: How can we better communicate our performance internally and externally?Output: Scorecard that tracks where and how value is being created on an ongoing basis
Issue: Where are we creating value?Output: Growth and return priorities
Issue: How are we creating value?Output: Operational initiatives to increase value
Issue: How can our management processes support value objectives?Output: Ability to identify, fund, track, and reward value-creating initiatives
Copyright © 2002 by American Institute of Certified Public Accountants, Inc. 7
CFO Research Services on effect of Human Capital on Business
Outcomes
Source: CFO Research Services
How much effect do you believe human capital has on each of the following business outcomes?
92%
82%
72%
71%
68%
66%
64%
Customer Satisfaction
Profitability
Innovation/ Product Development
Merger Acquisition Success
Revenue Per Employee
Speed to Market
Growth
% of survey participants responding to the above with HCM “large effect “ or “critical factor”
Learning and Growth Perspective - Human Capital
8
A Pathway to Principled Performance®: The OCEG Framework 9
THE BIG PICTURE OF ORGANISATIONAL PERFORMANCE
VOLUNTARY BOUNDARYboundary defined by management incl. public commitments, organisational values, contractual obligations & other voluntary policies
MANDATED BOUNDARYboundary established by external forces incl. laws, government regulation & other mandates
OBJECTIVESstrategic, operational,customer, process,compliance objectives
BUSINESS MODELBUSINESS MODELstrategy, people, process, technology, and Infrastructure in place to drive towards objectives
OPPORTUNITIES
OPPORTUNITIES
OPPORTUNITIES
OB
STA
CLES
&
TH
REA
TS
OCEG 2007
9
Rise of Principled Performance - Defining the Boundaries of Conduct
STRATEGIC CONTROL ASSURANCE PLAN
STRATEGIC CONTROL ASSURANCE PLAN
Strategic Control Assurance Plan
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance10
11Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Corporate governance is an organisation’s strategic response to risk
The BoardThe Board Organisation Organisation
4
Management Assurance
Management Assurance
3
Independent AssuranceIndependent Assurance
5
2
STRATEGIC CONTROL ASSURANCE PLAN
STRATEGIC CONTROL ASSURANCE PLAN
INFORMATION SYSTEMS
1
4
The Board is responsible for the organisation’s overall control framework that complements the
strategic and operational planning process. This responsibility is discharged by setting
appropriate risk and control policies, and by seeking regular assurance regarding the
effectiveness of the control environment.
Control assurance operates through the five Control Elements as follows
• Planning• Board• Organisation• Management assurance• Independent assurance
12
The Strategic Direction Plan is framed by four Control ElementsThe Strategic Direction Plan is framed by four Control Elements
Organisation
The Organisation includes the Executive Director , senior
managers and staff , and delivers organisational outputs in
line with the planned corporate outcomes. This control
element provides the opportunity to exercise a high degree
control through sound HR and ethical practices in an
environment of open communication. Monitoring and
performance review in this control element make significant
contributions to the Board’s strategy-management
responsibilities .
Organisation
The Organisation includes the Executive Director , senior
managers and staff , and delivers organisational outputs in
line with the planned corporate outcomes. This control
element provides the opportunity to exercise a high degree
control through sound HR and ethical practices in an
environment of open communication. Monitoring and
performance review in this control element make significant
contributions to the Board’s strategy-management
responsibilities .
Management Assurance
Management Assurance provides the Board with assurance
through management monitoring, reviewing and reporting of
organisational performance against stated objectives and
compliance against laws, regulations, policies, procedures,
etc. Management teams or committees may be established
to assist in this process.
Management Assurance
Management Assurance provides the Board with assurance
through management monitoring, reviewing and reporting of
organisational performance against stated objectives and
compliance against laws, regulations, policies, procedures,
etc. Management teams or committees may be established
to assist in this process.
The BoardThe Board as the shareholder representative has responsibility
and accountability for organisational performance to key stakeholders. As well as its oversight role in ensuring
Adherence to established policies and the strategic directionit has a tactical role in maintaining a watching brief over theExternal and internal environments and organisational Performance through the Executive Director, and obtaining balanced assurance over the control
environment from management and Independent sources.
The BoardThe Board as the shareholder representative has responsibility
and accountability for organisational performance to key stakeholders. As well as its oversight role in ensuringAdherence to established policies and the strategic direction
it has a tactical role in maintaining a watching brief over theExternal and internal environments and organisational
Performance through the Executive Director, and obtaining balanced assurance over the control environment from management and Independent sources.
Independent Assurance
Independent Assurance presents the Board with objective
information on the control environment through independent
bodies such as external and internal audit, and audit
committees. This control element provides a check and
balance for the outputs of the Management Assurance
control element. When the Board receives positive feedback
on the control environment from these independent bodies it
can have confidence in the assurance received from
Management.
Independent Assurance
Independent Assurance presents the Board with objective
information on the control environment through independent
bodies such as external and internal audit, and audit
committees. This control element provides a check and
balance for the outputs of the Management Assurance
control element. When the Board receives positive feedback
on the control environment from these independent bodies it
can have confidence in the assurance received from
Management.
4
3
5
2
STRATEGIC CONTROL ASSURANCE PLAN
STRATEGIC CONTROL ASSURANCE PLAN
INFORMATION SYSTEMS
1
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
13
Goals and objectives–The focus of the Controls Assurance Plan
An understanding of the relationship between corporate governance, risk management, controls and strategies is fundamental to the successful implementation of the proposed Controls Assurance Plan. This relationship may be summarised as follows
1 Corporate governance is a guidance system for the achievement of planned objectives–it is an objectives-focused concept.
2 Management of risk is part of each objective at all levels of the organisation.
3 Risk management develops risk treatment plans that are at the same time the controls and strategies associated with achieving each objective.
4 The meaning of control is broader than internal financial control and is expanded to include all planning and strategies put in place after the corporate objectives have been set.Transparency and probity are part of this control environment.
5 The control environment provides reasonable assurance to Boards and senior managers that the organisational objectives will be achieved within an acceptable degree of residual risk.
6 Corporate governance is an organisation’s strategic response to risk
7 Reporting against performance measures for each objective is also a report on the effectiveness of strategies, controls and the risk management process for that objective. Risk management reporting is therefore part of performance reporting and not a separate exercise. Effective risk management is therefore the cornerstone of sound governance.
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Control Assurance Plan - Information Systems
A Pathway to Principled Performance®: The OCEG Framework
Key Roles and Accountability – Governance Risk and Compliance Systems
Who should drive integration? What should it look like? To realize a high-performing GRC system, several key players must be actively involved in the design, implementation, & management of the system.
The Role of the Board The Board has oversight of the system and ultimately is the primary beneficiary of it, since a strong GRC system enables the flow of accurate information necessary to effective governance. The Board must be an active monitor for shareholder and stakeholder benefit and must :
Direct the purpose and desired outcomes of the system
Set a charter for its involvement in the system
Vet business objectives and ensure they are congruent with values & risks
Be knowledgeable about the design and operation of the system
Obtain regular assurance that the system is effective
Gain reasonable assurance that management’s representations are sound
Operate aspects of the system that require Board perspective and
independence (eg overseeing senior management’s override of control activities)
14
Control Assurance Plan - Information Systems
A Pathway to Principled Performance®: The OCEG Framework
Key Roles and Accountability
The Role of Management
Management must undertake strategic planning and implementation of the GRC system. Taken as a
whole, management must:
Design, implement and operate an effective system or some aspect of a system
Provide regular assurance about the effectiveness of the system
Communicate with key stakeholders about the effectiveness of the system
Evaluate and optimize the performance of the system
The Role of Assurance
Management should obtain and provide regular assurance about the effectiveness and performance
of the GRC system. An independent review can open up a view of the system that reveals not only
weaknesses in design or operation, but also opportunities for further integration and exchange of
best practices from one area of the organization to another.
15
Control Assurance Plan - Information Systems
A Pathway to Principled Performance®: The OCEG Framework
Key Roles and Accountability
The Role of Assurance (cont’d) For its part, the Board is required to obtain regular assurance about the effectiveness of the system and should use information developed independently of management to form impressions of the system’s effectiveness. Independent review is required. For purposes of reviewing a GRC system internal personnel are ‘independent’ if they are independent of the underlying activity on which they provide assurance.
Assurance personnel, whether internal or external, should:
Provide assurance that risks are appropriately identified, evaluated, managed and monitored
Provide regular assurance to the Board and Management that the GRC system or some aspect
of it is effectively designed to address identified risks and requirements in light of the
organization’s culture and objectives
Provide regular assurance to the Board and Management that the system or some aspect of it
is
effectively operating as designed.
16
17
Business Process Management Best Practices
Source : Denise Bedford Information Quality
Learning and Growth Perspective - Information Capital
18
A Pathway to Principled Performance®: The OCEG Framework
Governance, Risk Management & Compliance Process Integration
There are many reasons an organisation seeks to integrate and align its governance, risk and compliance efforts into a GRC system
1 The cost of complying with an increasingly complex, voluminous and ever-changing patchwork of legal mandates is always rising.
2 There is a lack of visibility into not only operational issues, but also risk and compliance activities.
3 There is unnecessary complexity and duplication of effort taking place to address risks and requirements as numerous processes and controls are buried in isolated silos.
4 The Board and senior management face increased accountability and liability.
5 There is redundancy in some areas and possible gaps in coverage for critical risks in others.
6 The cost of maintaining duplicate set of information for different purposes and reconciling information when necessary is high.
Learning and Growth Perspective - Information Capital
19
A Pathway to Principled Performance®: The OCEG Framework
Governance, Risk Management & Compliance Process Integration
Apart from the main governance, risk, compliance processes, other functional and process areas, that comprise a holistic governance model include.
Governance Information Technology
Risk Management Business Ethics
Compliance Quality Management
Strategy and Business Performance Management Sustainability & Corporate Social Responsibility
Internal Control Human Capital and Culture
Corporate Security Audit and Assurance
Legal Finance
Within the context of an integrated GRC system, the individual functions share a mutuality of interest, a common need for information and contribution to the organisation’s efforts to achieve Principled Performance.
Learning and Growth Perspective - Information Capital
Designing a Business Architecture
• In order to align technology with business, we need to design a business architecture
• Business architecture includes: – Business framework to which all business definitions and models
can be mapped
– Business process management best practices for representing business processes which are manageable by business analysts, understandable to business managers and executable by developers
Learning and Growth Perspective - Information Capital
20
Current State – Business Framework
• Organisations themselves may not have a comprehensive view of the entity’s
business, although there is a wealth of business knowledge and documentation
– Current business definitions may be constrained to what single organizational
units do and how they do it
– May be variations on a process across the organization
– Formal policies and procedures may not fully describe how work is done
– May be gaps in coverage of some business processes
– May be redundant descriptions of the same process which are not consistently
maintained
– May represent a technology view rather than a human workflow view
– May not describe all of the resources that are required to support a business
process
Learning and Growth Perspective - Information Capital
21
Business Process Management Best Practices
• Business process management recommends that we:
– Define internal best practices and guidelines to ensure that business process
models are consistently developed (ARIS Framework)
– Develop business models for processes, and inventory, register and publish
existing business models (Business Analysts & Stewards working with IQ and IS
teams)
– Recommend standards-based modeling and execution languages to be used by
developers for implementing business process models
– Build a business architecture layer as part of enterprise architecture
– Establish an enterprise governance process for business process management
22
Learning and Growth Perspective - Information Capital
Business Process Models
• A business process should be represented as models of end-to-end sequence of tasks or sub-processes, which describe all of the inputs, outputs and steps/activities required to execute the process
• ARIS framework provides us with a comprehensive view of a business process description
• Working within the business framework, and leveraging the ARIS business processing modeling strategy, we can both harmonize across the organization and standardize our current business knowledge
23
Learning and Growth Perspective - Information Capital
Architecture Information Systems Framework -Robust description of a business process includes all elements of the framework. 24
Business Process Description
Data
Information Services
Other Services
Material Input
FinancialResources
Initial Event Message
Business Process
Steps & Sub-processes Result/Event
Information Services
Other Services
Material Input
FinancialResources
Strategic Goal
ApplicationSoftwareInfrastructure
TechnologyResources
HumanInput/Output
OrgUnit
25
To design a successful performance intervention, an organization must have a basic
understanding of
• The process’ inputs, steps, outputs; and the measures and standards for all three
• The individuals who will be performing in that process
• What specific performance is required/desired- and what the current level of level of
performance is
• Exactly what knowledge and skills are required to perform
• The strengths and weaknesses of any current Training & Development
• The environmental (non-human) enablers required to perform
• The strengths and weaknesses of any current environmental (non-human) enablers
Business Process Models
Learning and Growth Perspective - Information Capital
Business Framework and Business Process Management
• Looking back to the value proposition, we need a level of business process
description which will allow us to:
– connect any system associated with the process
– identify the people who support it
– link financial resources
– acknowledge but also cross organizational boundaries
– identify compliance (financial, records) points
– identify data and information quality control points
– Identify common steps and sub-processes to simplify and reuse applications
– provide managers with the capability to monitor the process for improvement
and planning purposes
26
Learning and Growth Perspective - Information Capital
27
Overview ofCulture & Context
Learning and Growth Perspective - Organisation Capital
C1 EXTERNAL BUSINESS CONTEXT
Understand and, when necessary, influence the external business context in which the organization operates.
Principles
01 Understanding the ever-changing external context is critical to designing a GRC system that is resilient to change and can evolve with it.
02 Some aspects of the external context will change despite the organization’s best efforts to maintain the status quo.
03 Certain aspects of external context can, and in some cases should, be influenced by the organization.
04 The organization should recognize that there are external influencers, such as the media or community groups who can shape stakeholder opinion.
28
Learning and Growth Perspective - Organisation Capital
OCEG® Open Compliance & Ethics Group ®
C2 INTERNAL BUSINESS CONTEXT
Understand the existing people, processes, technology, organizational structure, stakeholders and key assets that drive organizational value.
Principles
01 Internal context analysis should focus on key aspects that drive organizational value.
02 The organization should design a GRC system that aligns with the internal context.
03 The organization should use the GRC system to identify and change certain aspects of the internal context to better support organizational objectives.
04 Some aspects of the internal context will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must identify triggers that will require or cause it to evolve.
29
Learning and Growth Perspective - Organisation Capital
OCEG® Open Compliance & Ethics Group ®
C3 CULTURE
Understand the existing culture including the organizational climate and individual mindsets about integrity, compliance, risk, and approach to management.
Principles
01 Leadership should set the tone at the top and provide consistent and repeated commitment to integrity in both words and deeds.
02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have any regard for the established values.
03 The GRC system can, and in some instances should, change certain aspects of the culture.
04 Some aspects of the culture will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must have triggers that will tell it when to evolve to respond to cultural changes.
30
Learning and Growth Perspective - Organisation Capital
OCEG® Open Compliance & Ethics Group ®
C4 VALUES & OBJECTIVES
Define what the organization wants to achieve and the values for which it stands.
Principles
01 Without the leadership to support clearly and regularly articulated mission, vision and values, the organization will operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and interests.
02 Values will vary for every organization - that said, values must include adherence to legal mandates and general principles of integrity and ethical conduct.
03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the Board must oversee management’s continual efforts to meet the established objectives.
04 Align objectives to stated values.
31
Learning and Growth Perspective - Organisation Capital
OCEG® Open Compliance & Ethics Group ®
32
MAJOR STRATEGIC OBJECTIVE
RELATED ORGANISATION OBJECTIVES -Institutionalise Customer Focus Leadership Development Programs
MEASURES TARGETS STRATEGIC INITIATIVES
A Leadership
Build a cadre of leaders who can leverage human capital for competitive advantage. They deploy through direct coaching/mentoring of staff, the “customer engagement models” that drive the customer satisfaction/ lifetime relationship value proposition .
• % internal vs. external hires
• % participation in customer focus
leadership programs
Vision Awareness Program
Accountable for strategy
Strategy linked to budgets &
operations
Improve key deficiencies
B Culture/ Strategy Awareness
Create an organisation that internalises the shared vision, strategy, and cultural values required to execute on the staff interaction behaviours that deliver the ‘customer experience’ outcomes
• % employees regularly surveyed
• Culture assessment
Formal information sharing
program
Mentoring Program
Employee survey
C Alignment
Create an organisation where personal goals and incentives are aligned with customer focus and loyalty strategy; and one that encourages personal contribution
• Personal goals linked to BSC (%)
• % receiving incentive
compensation
Alignment of HR Bus.
Balanced Scorecard
Cascaded Scorecards
Incentive Compensation
D Teamwork
Create teamwork and a culture to encourage the sharing of knowledge and experience needed by the Customer Focus strategy
• % using knowledge sharing
channels
Key Staff Retention
Cross-Functional Teams
Shared Rewards
Learning and Growth Perspective - Organisation Capital
Messrs Kaplan and Norton - BSCD Collaborative
33
PHILIP A F MARSHALL C.A. F.C.A
© OCEG 2009ACKNOWLEDGEMENTS
President, Open Compliance & Ethics Group OCEG® / Driving Principled Performance ®
Mercer Delta Consulting
Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Denise Bedford Information Quality
American Institute of Certified Public Accountants, Inc.
Messrs Kaplan and Norton - BSCD Collaborative