understanding the control environment timur gök caribbean association of audit committee members...

Understanding theControl Environment

Timur Gök

Caribbean Association of Audit Committee Members

Basseterre, St. Kitts

30 September – 2 October, 2010

2

Outline

• Internal Controls

• Towards an Alternative Approach

• Strategic Control

• Risk Management

• Conclusions

Internal Controls

4

Internal Controls

• System of controls– Put in place to provide reasonable assurance

that the corporation will achieve its objectives, including efficiency and effectiveness of operations, reliable reporting, and compliance with applicable laws and regulations

– A strong system of internal controls is imperative to effective ERM

– Consists of the control environment, pervasive control plans, and business control plans

Gelinas and Dull, Accounting and Information Systems (2007).

5

Internal Controls

• Control environment– The tone set by the BOD and top

management regarding the general awareness of, and commitment to the importance of, control throughout the organization


6

Internal Controls

• Business process controls– Procedures that identify specific business

risks to prevent interruption of operations

• Pervasive controls (and general controls)– The governance structure and ancillary

control procedures that keep the corporation “on track”


7

Framework for Internal Controls

• COSO– Also the framework suggested by PCAOB in

Auditing Standard No. 2 as a suitable framework to guide management’s assessment of internal control for SOX Section 404

• But how does one apply the COSO framework to implement ERM?– “COSO … seems like an instruction manual

that never got around to giving actual instructions”

8

COSO Framework

10

• Imagine if you will, that on some Christmas Eve, facing a slew of unassembled children's toys, you were to read the instructions that come with your child’s new bicycle, which is completely unassembled. To your horror, you find that the authors of the instructions used, as a guide, the COSO framework. The first few pages discuss the definition of "bicycle" and "ride". They then go into a definition of "assembly" which reads, "Assembly involves the processes and procedures undertaken by a person or organization to put together the various parts of a disassembled object such that it provides a complete and whole object."

B. Vance, Why ERM Frameworks do not work (2007).

Towards an Alternative Approach

12

Better Models and Stress Tests?

• Could “better” models and stress testing have saved us from financial ruin?– Conditional VaR—capture spillover effects in

troubled markets, such as losses due to distress of others

– Continuous VaR—measure within-horizon probability of loss

– Simulations and stress testing

13

Strategic Risk

• “[A]rray of external events and trends that can devastate a company’s growth trajectory and shareholder value”

Slywotzky and Drzik (2005)

• “Risk stemming from an inability to adapt to changes in the environment”

14

Strategic Risks

Slywotzky and Drzik, “Countering the biggest risk of all,” Harvard Business Review, April 2005.

15

Risk Taxonomy & Risk Contribution

Kuritzkes and Schuermann (2007)

16

Strategy v. Tactic

• The starting point is corporate strategy

• Strategy– Overall plan for deploying resources to

establish a favorable position

• Tactic– Scheme for a specific action

• Strategy is about winning wars; tactic about winning battles

17

Strategy

• Provides a link between the firm and its environment

Firm

• Goals and values

• Resources/capabilities

• Structure/systems

Industry Environment

• Customers

• Suppliers

• Existing competitors

• Potential competitors

and substitutes

Strategy

External Factors

Internal Factors

R.M. Grant, Contemporary Strategy Analysis, 4/e. Blackwell, 2002.

18

Strategic Analysis

• Conduct a strategic analysis to develop and articulate a strategy

• Analyze “how the firm can generate returns (rents) in excess of the opportunity costs by engaging in a more effective corporate/business strategy”– Corporate strategy as domain selection– Business strategy as domain navigation

R.M. Grant, Contemporary Strategy Analysis, 4/e. Blackwell, 2002.

19

Shareholder Value Approach

E. Maug, “Valuation and shareholder value.” Lecture slides.

Strategic Control

21

Strategic Control

• Process of monitoring and correcting a firm’s strategy and performance

• Traditional approach to strategic control– Strategies are formulated and top

management sets goals– Strategies are implemented– Performance is measured against the

predetermined goals set

Dess, Lumpkin, & Eisner, Strategic Management, McGraw-Hill Irwin (2010).

Traditional Approach

• Most appropriate when– Environment is stable and relatively simple– Goals and objectives can be measured with certainty– Little need for complex measures of performance

22Dess, Lumpkin, & Eisner, Strategic Management, McGraw-Hill Irwin (2010).

Contemporary Approach

• Contemporary control system– Continually monitor the environments (internal

and external)– Identify trends and events that signal the need

to revise strategies, goals and objectives– Exercise informational control– Exercise behavioral control



24Dess & Lumpkin, Strategic Management, McGraw-Hill Irwin (2010).


• Informational control– Concerned with whether or not the

organization is “doing the right things”

• Behavioral control– Concerned with whether or not the

organization is “doing things right” in the implementation of its strategy


Behavioral Control

• Behavioral control is focused on implementation—doing things right

• Three key control “levers”– Culture– Rewards – Boundaries


Why Culture and Rewards?

• The competitive environment is complex and unpredictable, demanding both flexibility and quick response to its challenges

• The implicit long-term contract between the organization and its key employees has been eroded


Culture

• Culture sets implicit boundaries (unwritten standards of acceptable behavior)– Dress– Ethical matters– The way an organization conducts its

business

• Culture acts as a means of reducing monitoring costs


Sustaining an Effective Culture

• Effective culture must be– Cultivated– Encouraged– Fertilized

• Maintaining an effective culture– Storytelling– Rallies or pep talks by top executives


Rewards and Incentives

• Rewards and incentive systems– Powerful means of influencing an

organization’s culture– Focuses efforts on high-priority tasks– Motivates individual and collective task

performance– Can be an effective motivator and control

mechanism


Effective Rewards and Incentives


Example: TIAA-CREF Principles


Boundaries and Controls

• Improve operational efficiency and effectiveness

• Minimize improper and unethical conduct


Organizational Control


Putting It All Together

• Corporate Governance– Improve operational efficiency and

effectiveness– Minimize improper and unethical conduct


Risk Management

37

Better Models and Stress Tests?

• Could “better” models and stress testing have saved us from financial ruin?– Conditional VaR—capture spillover effects in

troubled markets, such as losses due to distress of others

– Continuous VaR—measure within-horizon probability of loss

– Simulations and stress testing

38

Yes, But…

• British regulators found that banks’ stress tests before the crisis were very modest– “There was absolutely no incentive … to run

severe stress tests … because if there were such a severe shock, they would very likely lose their bonus and possibly their jobs [and] in that event the authorities would have to step in anyway to save a bank and others suffering a similar plight.”

A. Haldane, “Why banks failed the stress test,” (February 2009).

39

Models and Objectives

• Lynda Gratton, who was Chief Psychologist in the early 1980s at British Airways when the company was starting to break free from its state-owned origins, observed “nervous young avionic apprentices arriving for job interviews carrying large bags containing Airfix models of aeroplanes.”

S. Stern, Lunch with the FT, Financial Times (February 5, 2010).

40

Models and Objectives

• “We had to convert an organisation which loved aircraft [British Airways in the early 1980s] into an organisation which loved people, and that was a rather difficult thing to do.”

Lynda Gratton

S. Stern, Lunch with the FT, Financial Times (February 5, 2010).

41

Purpose of Risk Management

• Likewise, risk management is not just about quants and their models, but it is about making institutions more resilient

Case Studies

43

The Titanic

• Stresses similar to what the Titanic experienced in its collision with the iceberg were applied to the joint, and the top of one of the rivets popped off, at a load only 60 percent of what a good quality rivet should have withstood.

44

Challenger

• Gray smoke escaping from the right side

45

Vietnam and the Dereliction of Duty

• During the Vietnam war, … [t]he joint chiefs of staff were warned by their chairman, Maxwell Taylor, that Lyndon Johnson did not like "split advice". Johnson's defence secretary, Robert McNamara, argued that government would be ineffective if department chiefs were to "express disagreement" with the president. Not disobey, but "express disagreement". Johnson trusted McNamara implicitly and relied too heavily on the advice of a man he praised as a "can-do fellow". Isolating himself from dissent, the president made a series of disastrous decisions.

T. Harford, “Listen to the bearers of bad news,” Financial Times, (Feb. 25, 2010). From Dereliction of Duty by H.R. McMaster (1997).

46

Iraq

• “Mr. Rumsfeld would not even let his commanders use the word ‘insurgent’. This Orwellianism made it much harder for army officers to rely on the appropriate doctrine: a counter-insurgency strategy.”

T. Harford, “Listen to the bearers of bad news,” Financial Times, (Feb. 25, 2010).

47

Oversimplification

• IPCC's thorny mission: Take sophisticated and sometimes inconclusive science, and boil it down to usable advice for lawmakers. To meet that goal, scientists working with the IPCC say they sometimes faced institutional bias toward oversimplification.

J. Ball and K. Johnson, WSJ (Feb. 26, 2010).

48

Warning Ignored

• Werner Hoeger, an Olympic luge athlete injured in a crash at the Whistler Sliding Centre in November, had warned Canadian officials about safety hazards at the track months before a competitor was killed at the Vancouver Games in an accident on the same course.

J. Abrams and K. Thomas, NY Times (Feb. 19, 2010).

49

Hurricane Expert Dismissed

• Ivor van Heerden, an internationally known hurricane expert, lost his job at Louisiana State University. He and other experts said it was because of his outspoken criticism of the federal government’s flood protection of New Orleans.

• In the years before Hurricane Katrina, in 2005, he sounded alarms about the potentially devastating impact of a major storm on New Orleans despite 40 years of hurricane protection efforts.

J. Schwartz, NY Times (Feb. 11, 2010).

50

Toyota

• Toyoda Concedes Profit Focus Led to Flaws

• Regulators Hired by Toyota Helped Halt Investigations

N. Shirouzu, WSJ (March 1, 2010) and Bloomberg.com (Feb. 13, 2010).

Graphic, NY Times (Feb. 2, 2010).

52

The significant problems we face cannot be solved by the same level of thinking that

created them.Albert Einstein

Conclusion

54

Lesson?

• “It is the human element that completely dominates risk.”

Managing Risk (2009)

R. Duffey and J.W. Sull

Timur Gök

Regional Director, PRMIA Chicago

Visiting Associate Professor

Director, Arditti Center for Risk Management

Department of Finance

DePaul University

Chicago, IL 60604

312/362-5001

[email protected]

understanding the control environment timur gök caribbean association of audit committee members...

Documents

coso framework

internal controlscosoalso

suitable framework

business control plansgelinas

ancillary control procedures

information systems

pervasive control plans

stress testing