treasury risk management

Transcription

1 Governance, Concise guide Risk to and Compliance treasury risk management

2 KPMG is a leading provider of professional services including audit, tax and advisory. KPMG in Australia has over 5000 partners and staff working across 13 offices and is part of a strong global network of member firms. Our vision is simple to turn knowledge into value for the benefit of our clients, people and our capital markets. Whilst the global financial crisis created challenges for business, one of the positives that has emerged is a desire for greater understanding of integrated risk management. In order to achieve this outcome there is a growing appetite to reform risk management through design and implementation of a cost effective and business-wide approach. KPMG provides a holistic approach to risk to help ensure the risk framework aligns to the core business agenda. We work to protect and enhance business value by helping reduce risk, cut costs and improve business performance. To us, risk and compliance is more than a box-ticking exercise, it is a critical investment that can underpin an organisation s long-term growth, value and sustainability. The Institute is the professional body for Chartered Accountants in Australia and members operating throughout the world. Representing more than 70,000 professionals and business leaders, the Institute has a pivotal role in upholding financial integrity in society. Members strive to uphold the profession s commitment to ethics and quality in everything they do, alongside an unwavering dedication to act in the public interest. Chartered Accountants hold diverse positions across the business community, as well as in professional services, government, not-forprofit, education and academia. The leadership and business acumen of members underpin the Institute s deep knowledge base in a broad range of policy areas impacting the Australian economy and domestic and international capital markets. The Institute of Chartered Accountants in Australia was established by Royal Charter in 1928 and today represents more than 58,000 members and around 12,500 talented graduates working and undertaking the Chartered Accountants Program. The Institute is a founding member of the Global Accounting Alliance (GAA), which is an international coalition of accounting bodies and an 800,000-strong network of professionals and leaders worldwide. charteredaccountants.com.au Disclaimer The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. KPMG and the KPMG logo and cutting through complexity are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. All information is current as at April 2012 First published May 2012 Published by: The Institute of Chartered Accountants in Australia Address: 33 Erskine Street, Sydney NSW 2000 KPMG Address: 10 Shelley Street, Sydney NSW 2000 Governance, Risk and Compliance First edition ISBN: Copyright The Institute of Chartered Accountants in Australia and KPMG All rights reserved. ABN: The Institute of Chartered Accountants in Australia Incorporated in Australia Members Liability Limited ABN: KPMG

3 Foreword We live in uncertain economic times, with a return to stability among the international business community even more inexact. Company boards, in particular, are now faced with a set of circumstances rarely seen before, making transparency of information and compliance essential in reducing exposure to risk. The evolution of the role of boards along with audit and risk committees has led to greater need for insight into key risks, an understanding of how these risks are being managed, and greater assurance over key risks facing an organisation. Practically mapping out a strategic approach to governance, risk and compliance will provide organisations with a framework that supports the corporate strategy and allows senior management to manage risk as and when it arises. This Institute is pleased to have worked with KPMG on this paper, and I m confident the content will provide readers with a better understanding of the most appropriate means to control matters of governance, risk and compliance (GRC). Even more critically, identifying the risks aligned to these issues amid a climate of widespread volatility will serve to increase transparency while continuing to drive business performance. Craig Farrow FCA President Institute of Chartered Accountants in Australia 3

4 Governance, Risk and Compliance

5 Contents 1. Why are organisations seeking a better approach to governance, risk and compliance (GRC)? Convergence of GRC is evolving Integrating GRC Implementing a strategic approach to GRC Glossary

6 1. Why are organisations seeking a better approach to governance, risk and compliance (GRC)? Economic instability is adding to uncertainty. Organisations continue to be concerned about the risk environment, leading them to reassess the effectiveness and adequacy of the internal controls in place to manage their risks. This landscape, along with a rise in complexity and regulation, is putting a strain on how organisations govern themselves. Management is expected to enhance oversight and transparency while simultaneously driving performance and profitability. In the current economic climate, boards of directors are also facing stakeholder demands for more accountability in their organisation s governance systems, as well as delivering ongoing success. In this context, resilience is the key to organisational survival. Organisations need to achieve a robust balance of governance, risk management and compliance. Siloed approaches to managing GRC mean that the Board and management find it difficult to obtain a holistic view of how their organisation is managing risk and have found it increasingly difficult to obtain the right information for decision making. Unsurprisingly, Boards and Audit/Risk committees are asking for greater insight into key risks and compliance obligations, how these risks and obligations are being managed, and the depth and breadth of assurance over the key risks the organisation faces. Governance, Risk and Compliance

7 Key questions to ask: > > Do we have separate departments managing risk, compliance and assurance without an overarching framework? > > Is the quality and quantity of risk and compliance information provided to the Board and Audit/Risk committees appropriate to provide relevant insight at the right time? > > Do we need to piece together multiple pieces of information from risk, compliance and assurance departments/providers to obtain an overall view of our organisation s risk profile? > > Is the information we receive on our risk and control environment sufficiently transparent for informed decision making? 7

8 2. Convergence of GRC is evolving The emergence of an integrated approach to GRC is a response to the current market complexity and uncertainty. A strategic approach to GRC sees a focus on rationalising risk management, controls, assurance structures and processes. A strategic approach to GRC is not simply about a technology tool or just an approach for large complex companies; it is a different way of thinking that seeks to drive maximum value from complementary activities that have the same goal. Even more today, Boards and Audit/Risk Committees are asking for: > > Greater insight into key risks and compliance obligations > > An understanding of how these risks and obligations are being managed > > Greater assurance over key risks facing the organisation. A strategic approach to GRC enables the delivery of insightful information, which the Board and management can use to improve organisational performance, achieve compliance and reinforce resilience in times of market volatility, change and ever increasing regulatory requirements. Organisations are using GRC to more readily identify and manage their risks and in turn, respond to opportunities more quickly. There is still some way to go before most organisations achieve full integration of GRC across their different functions and regions. Progress is being driven by the recognition of complexity, a desire to reduce risk exposure and the enduring need to improve performance and reduce cost. Audit/Risk Committees often play a crucial role in the success of an integrated approach to GRC. They are a key sponsor and champion by promoting the benefits of the organisation s GRC approach, and ensuring that it is aligned to the organisational strategy and mission. Many organisations have separate risk, compliance and assurance structures, and some organisations have separate Audit and Risk Committees. This can make it challenging to obtain an overall view of the organisation s risk profile, insight into how these risks are being managed and comfort that they are obtaining the right breadth and depth of assurance over their key controls. This makes it increasingly important to have an integrated framework that cuts through the complexities and silos to effectively and efficiently manage GRC requirements. Governance, Risk and Compliance

9 Key questions to ask: > > Is the Audit/Risk Committee s role and depth of involvement in the oversight of our GRC framework understood? > > Do we have separate Risk and Audit committees? If so, how do they connect and work together? > > Do we know the total cost of activities related to our organisation s GRC efforts? 9

10 3. Integrating GRC A strategic approach to GRC offers a framework to unite and direct governance processes to support an organisation s corporate strategy. It allows the specific components of governance, risk management, compliance and assurance to be better aligned. Addressing the fragmentation across risk, compliance and assurance activities is an important piece of the GRC puzzle. To be effective, GRC has to link risk, compliance and assurance activities with the overall strategic decision-making and performance of the organisation. This is an area where many organisations continue to face difficulties. The Audit/Risk committee can assist with the convergence by being an advocate of the benefits of the organisation s GRC program and by ensuring that it is strongly aligned to the organisation s strategy. The risk component is critical to implementing an effective approach to GRC as this anchors the alignment to organisation s strategy. The GRC model does not propose a centralised approach to risk management; it recognises that risk is often best managed closest to the point of origin by management those who have the greatest understanding of the organisation s risks. A common language, methodology and approach to risk identification and assessment which is driven from the organisation s strategy is essential. Overlaying the organisation s risk appetite can help further focus GRC efforts on the risks that matter and potential areas to concentrate compliance and assurance activities. The risk profile distinguishes where in the organisation assurance and compliance activities should be conducted. Assurance mapping, using a shared view of the organisational business model, can then integrate all assurance and compliance activities in a single view and be used to identify gaps in coverage and duplication of efforts. It can inform management decisions about the overall state of assurance, including management self assessment, internal assurance and external assurance. Governance, Risk and Compliance

11 Key questions to ask: > > Do we have the key risks for our organisation identified and assessed? > > Have we articulated our risk appetite? Do we understand which key risks are not being sufficiently mitigated? > > Are we focusing efforts on the most critical risks? > > Do we have sufficient clarity on the true risk and compliance culture within the organisation? > > Do we have clear roles and responsibilities and reporting lines for all assurance and compliance providers (e.g. internal audit, external audit, OH&S and compliance)? > > Do we have a consistent reporting framework across our assurance and compliance activities, including rating of issues identified and tracking of issue resolution? > > Do we receive regular reporting from all assurance functions to management and the Board? > > Do we receive an integrated assurance map which provides transparency over the risks and areas of the organisation covered by assurance activities, and any gaps and duplication of effort? 11

12 4. Implementing a strategic approach to GRC Any GRC initiative can be a complex, multi-year journey that requires input from a wide variety of stakeholders across the organisation. Although the process for achieving convergence within GRC will vary from one organisation to the next, the following principles can be a useful guide in maximising the chances of success: 1. Consider the big picture first A strategic approach to GRC should be viewed as a journey and therefore not all of the current convergence challenges can be addressed at once. It is important to identify what is important (e.g., do you need consistent and reliable information), what current challenges exist and prioritise the issues and actions. 2. Form a cross-functional team or committee The GRC journey requires a move away from siloed problem resolution. To assist it is important to establish an appropriately sponsored cross functional team or committee. This cross functional team/committee will provide a forum to discuss existing challenges/issues and collaboratively formulate solutions to obtain buy in across the organisation. 3. Define roles and responsibilities early in the process Effective GRC is predicated on the sharing of information across functional business lines; underpinning this, is the need to clearly define each GRC function s roles and responsibilities to minimise the level of task duplication. 4. Beware of building another silo GRC should be viewed as a framework/approach which supports the existing risk, compliance and assurance functions and not a reason to insert additional levels of bureaucracy through the creation of a GRC cottage industry. 5. Get the processes worked out before investing in the technology Technology is a support tool of GRC but not an essential element. It is important prior to investing significantly in new technology that you have clearly defined what your GRC requirements are and whether your existing systems can support your ongoing and future business needs. Governance, Risk and Compliance

13 6. Seek out overlaps and build efficiencies A clear understanding of each function s roles and responsibilities can enable the identification and removal of duplicate roles and infrastructure to focus on cost savings, whilst at the same time being cognisant of not creating inconsistencies and errors in compliance. 7. Create a common language and understanding around risk A common risk language, methodology and approach to risk identification and assessment provides the platform for an enterprise wide view of risk and the ability to aggregate information in a consistent manner which has been provided by different compliance and assurance providers. 8. Don t lose the detail in the convergence process GRC recognises that risk, compliance and assurance functions within an organisation may be at different stages of maturity and therefore, it is important not to create a standardised reporting approach that results in a loss of risk detail and expertise. 9. Remember that GRC is a gradual process GRC is not a one off wholesale change to existing risk, compliance and assurance processes, it is a gradual journey which focuses on implementing change in a sustainable manner across the organisation. In summary, an effective GRC framework protects and enhances organisation value by fostering a risk-aware culture, supporting informed decision-making and by addressing multiple layers of compliance and assurance. It enhances operational efficiency by rationalising risk management, controls and assurance. With the right GRC model in place, leaders should get the information they need to understand and respond to the risks facing the business, as well as anticipating and meeting changing stakeholder and regulatory demands. 13

14 5. Glossary Assurance Compliance Compliance management system Corporate governance Internal audit Internal controls Risk appetite Risk profile Resilience Risk management An independent professional service, with the goal of improving the information or the context of the information so that decision makers can make more informed, and presumably better decisions. Conforming to a rule, such as a specification, policy, standard or law. Compliance management takes care of the legal and ethical aspects of an organisation s activities. The role of person(s) or organisation(s) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. An independent appraisal activity which includes, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control. The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term controls refers to any aspects of one or more of the components of internal control. Risk appetite is the level and nature of risk the organisation is willing to take to achieve its objectives. The result of an integrated and organisation-wide assessment of those exposure areas that threaten strategy, objectives and existence of the enterprise. The ability of an enterprise to survive and recover from serious organisation setbacks. Covers the various coordinated activities that direct and control an organisation s approach to respond to an organisation s risks. Governance, Risk and Compliance

15

16 Contact details KPMG Sally Freeman Partner in Charge Internal Audit Risk & Control Services Phone sallyfreeman@kpmg.com.au Michael Hill Partner Internal Audit Risk & Control Services Phone mwhill@kpmg.com.au The Institute of Chartered Accountants in Australia National Office 33 Erskine Street Sydney NSW 2000 GPO Box 9985, Sydney NSW 2001 Service Phone 100 per cent +61 recycled (2) 9290 paper supporting 1344 responsible use of forest resources. Fax +61 (2) service@charteredaccountants.com.au charteredaccountants.com.au kpmg.com.au Printed on ecostar a 100% recycled paper supporting responsible use of forest resources.