Download - ICSA Annual Conference, Day 1, 15.30
The ICSA ANNUAL CONFERENCE 2016
International trends in corporate governance
2016 ICSA Annual Conference
Peter Turnbull
Director and Past President, Governance Institute of Australia
Non-Executive Director
© Governance Institute of Australia
Overview of Australian market (1)
Market:• 2,200 publically listed companies• Listed market capitalisation of circa A$1.5 trillion (interest rate derivatives
market is the largest in Asia at A$47 trillion)• Some 6.7 million individual shareholders (total population – 24 million)
Regulation:• Quite heavily regulated market – ASIC, APRA and ASX• Post-GFC regulatory over-reach evident in some areas• Some question the performance of ASIC the corporate regulator
Overview of Australian market (2)
Governance:• Good governance definitely matters in Australia• Companies with questionable governance are penalised – via share
price, media and/or ability to access to capital (and cost)• Regulators, proxy advisors, shareholder groups and media (including
social media) – are constantly watching and are quite influential• Management of reputation has become a much bigger issue• ASX Corporate Governance Guidelines have driven continuous
governance improvements since 2003 (“if not why not basis”)
Current ‘big picture’ issues in governance in Australia
1. Risk management especially ESG (environmental, social and governance) risks 2. Regulation – effectiveness and focus3. Board composition – diversity4. Superannuation governance5. AGM – role and renewal
1. Environmental, social and governance risks (ESG)
• A key issue is board oversight of risk management (beyond financial risk to ESG risks) – including cyber security and reputational risks
• Investors expect comfort through proper risk systems which are embedded in everyday life and enterprise wide
• Corporate sustainability and longer term performance is a key issue: especially for superannuation funds which is a long term investment markets are under pressure, so, there is heightened awareness that
sustainability and risk management are also key concepts to preserving and protecting capital
1. Environmental, social and governance risks (2)
• Financial risk is no longer the only performance measure• Proxy advisors and social media have heightened the call for greater
accountability and transparency – especially in relation to ESR risks
2. Regulator and corporate culture
• Confidence in the regulator is directly linked to confidence in the markets – possible significant change ahead for ASIC
• Questions over the performance of ASIC (Government capability review underway) – staffing of around 1,700 people and budget reductions
• Regulator seeking out bad corporate culture (financial institutions focus): sees it as an indicator of governance problems difficult concept – very hard to identify and regulate bad culture is a regulator equipped to identify bad culture?• Possible privatisation of the large ASIC registry business causing angst –
tied to the future funding of ASIC (user pays model?)
3. Board composition and diversity
• Board composition debate in Australia has been over-simplified (to almost a sole focus on diversity which is in turn taken to mean gender diversity)
• Board composition is about more than diversity• Diversity itself is about many things – ethnicity, experience, age, gender, personal
traits• 19% of ASX 200 board seats are occupied by female directors (16.5% 2014/15) –
12% have no female director• Australian boards would benefit from greater diversity including gender diversity –
it’s not just an ideal – it’s about profit – US studies have shown greater diversity (particularly gender) leads to financial outperformance in Fortune 500 companies
4. Superannuation governance
• Australia’s superannuation pool is circa A$2 trillion• Reform is required: governance of super funds has not kept up with general governance developments
and initiatives (not subject to the ASX Corporate Governance Guidelines – “if not, why not”)
superannuation fund boards lack diversity and in some cases commitment to contemporary governance standards – which is a key issue when the longer term management and protection of investors money is involved
union representatives are appointed to some super boards and can control 50% of board seats in some organisations
reform legislation (for 50% independent directors) is currently stuck in Parliament
5. AGM role and renewal
• Australia’s AGM format has not kept up (virtual AGM’s are rare – unlike in the US and New Zealand)
• AGM attendance is falling and shareholders are not getting the information and knowledge they need
• Australia has high levels of shareholder engagement but not via the AGM platform• Australian corporate legislation remains wired to a hard copy world• Reform is required and ideas being considered (or already underway) are: virtual interactive meetings full electronic delivery of papers possible separation of the meeting itself and voting direct voting
Changes in Corporate Governance – an introduction to King IV
By Jill ParrattSouth Africa
ACKNOWLEDGEMENT
The content in these slides have been extracted from the website of the Institute of Directors in Southern Africa (IoDSA). However it
must be noted that the discussion points and comments as highlighted below do not reflect the view of the IoDSA or the King Committee, nor are these an indication of what will be included in King IV. They are merely intended as a reflection of the suggestions offered during the course of the working sessions which still need
to be taken under consideration by the King Committee.
An introduction to King IV
WHY HAS THE DECISION BEEN MADE TO UPDATE KING III? • There have been significant corporate governance and regulatory developments, locally and internationally, since King III was issued in 2009
which need to be taken into account. • The other consideration is that whilst listed companies are generally applying King III, non-profit organisations, private companies and entities in
the public sector have experienced challenges in interpreting and adapting King III to their particular circumstances. The enhancement will aim to make King IV more accessible to all types of entities across sectors.
HOW WILL KING IV BE DIFFERENT FROM KING III? • The fundamental philosophy and concepts as currently espoused by King III will not change and companies should therefore continue following
King III as it stands. • Simplification and ease of interpretation and access will be a key tenet of King IV. One of the ways that this will be achieved is by clearly
differentiating principles from practice recommendations. Principles will be stated as higher order. This is a recommended practice for listed companies currently included in King III but due to the associated cost it may be prohibitive for smaller entities and therefore different practices will be appropriate. This approach puts the emphasis on the outcome envisaged by the principle and allows for flexibility of application.
An introduction to King IVIN WHICH GOVERNANCE AREAS ARE CHANGES ENVISAGED? • King IV will be building on the content of King III. As such, the same subject matter will be covered but consideration will be given to
developments that include but are not limited to the following areas: executive and directors’ remuneration, integrated reporting, responsible investing and linkage with the Code for Responsible Investing in South Africa (CRISA), the evolving role of social and ethics committees, mandated audit firm rotation and tendering, information security and protection, strategic risks and dependencies, group governance, board diversity and combined assurance.
• A primary aim of the King IV content development is to reinforce the code as an integrated and holistic system. • In order to maintain the integrity of the integrated approach to content development, the working sessions are planned from a broader
perspective towards more specificity as the discussions evolve.• In general it was commented by participants that King IV should attempt to shift the compliance mind-set and that organisations should still be
afforded the freedom and concomitant responsibility to “apply or explain”. The need for integrated thinking featured prominently at all of the working sessions.
The following are the highlights of what was suggested by the working groups to be incorporated as part of the principles and practices in King IV.
An introduction to King IVBoard structures • Board and board committees should be structured and composed so that there is a balance of power and the board is able to exercise effective
oversight. This includes: – continued professional development of board members; – succession planning; – support by effective and strong company secretary; – well-functioning sub-committees; and – that the size of the board is linked to efficiency.
• There should be integration of the functioning of board structures so as to achieve integrated thinking across all aspects of the organisation. • The board should provide ethical leadership and independence.
Board decision-making • The board should articulate the purpose and strategic intent of the organisation and those should be evident in outcomes of the board’s decisions. • The board should be ultimately accountable for its decisions in order for governance to be effective. To achieve this the following needs to be in place:
– transparency regarding dissenting votes on decisions; – the integrity of information on which decisions are based should be ensured; and – board collaboration should be based on applying EQ.
• The board should create a learning culture towards continued improvement of performance.
An introduction to King IVA Group governance framework was raised as a matter that needed to be addressed in more detail and specifically the following aspects: • Standard policies and practices across the group. • Clear accountability and roles reinforced through induction and letters of appointment. • The need for an understanding of the regulatory situation especially if the group operates in more than one
jurisdiction. • Code of ethics, service philosophy etc. to apply across group. • Functioning of group board committees. • Understanding and addressing conflicts within the context of a group. • Proper delegation across group and alignment of all MoIs. • The board should recognise and respect each entity within the group as separate legal persona to which legal duties
are owed by its directors. • Use of shareholder compacts and other formal arrangements to regularise relationships.
Value-creation • The board should assume responsibility for value-creation beyond financial value. This is evidenced by:
– ethical behaviour by the board as a collective board and by individual directors; – values and ethics within the organisation; – healthy stakeholder relationships; – effective and efficient allocation of 6 capitals and accounting for the enhancement, use and impact on each
capital; – striving for alignment of values of individuals with that of organisation.
An introduction to King IVIntegrated assurance The Board should ensure the integrity of information used for its own decision-making as well as the integrity of information disclosed to external stakeholders. In terms of practices this means that: - • the organisation should understand why and for whom information should be provided; • all stakeholders need information for decision-making and therefore the information needs of each key stakeholder
needs to be identified; and • there should be adherence to the attributes of integrity of information: Reliability, Accuracy, Fairness,
Representative, Timely.
Assurance The board should be responsible for ensuring that material information is defined and assured. Practicing this would involve the following: • A cost/ benefit analysis is to be performed in respect of assurance; • Each board committee should be responsible for assurance within its area of responsibility and board committees
should serve as 4th line of defence – therefore important to optimise board skills and experience and site visits; • The risk matrix (including key vulnerabilities and critical dependencies) should be mapped to board and board
committee responsibilities and to the allocation of assurance provider to assess each key risk/ area of risk; • The chief audit executive should co-ordinate combined assurance and report to the audit committee chair
supplemented by reporting to other board committees;• There should be a policy and framework in place for integrated assurance;• The standards for non-financial assurance should be agreed by the audit committee and other relevant board
committees.
An introduction to King IVRisk • The board should be accountable for risk governance that contributes to the performance of the organisation. • The board should ensure that an awareness of and an appropriate response to potential threats and opportunities are an integral part of
decision-making and endeavours at all levels within the organisation. This means that: - – Risk awareness should permeate the following aspects of organisational life:
• strategy; • reporting; • decision-making; • board composition; • capital management; • resource allocation; and • stakeholder engagement.
– Risk integration should take place on horizontal levels (e.g. decision-making, setting risk appetite) as well as vertical levels (e.g. delegation). – Risk should be part and parcel of the combined assurance framework.
• Stakeholders should be able to come to an informed view as to the ability of the organisation to create value in the short, medium and long term. Therefore, the board should ensure transparency regarding the extent to which the capitals/critical dependencies that the organisation relies on have been enhanced and/or used and impacted on.
An introduction to King IVTechnology and Information • The board should ensure that technology serves value-creation by the organisation. Therefore, the board should understand how technology fits
into the value-creation paradigm (i.e. understand the evolution of technology from support to enabler to being pervasive). • The board should ensure that return/ benefit is realised for the organisation from investments in technology.
– There should be an awareness by the board of technology risks of which include: – cyber security; – compliance; – business continuity; – lack of knowledge on technology on board; and – outsourcing.
• The board should ensure that information is recognised as corporate asset and that it is part of intellectual capital to be protected and enhanced. This can be done with regard to:
– information security; – records management: identification, classification and ownership; and – information privacy.
An introduction to King IVCompliance • The board should ensure an effective compliance function that leads to corporate performance and protects value. This aspiration is to be
supported by: – the definition of a compliance universe and the design of a compliance framework; – a board that has working knowledge of material legislation and the compliance process; – pro-activity in establishing relationship with regulators, understanding environment and trends and influencing; – responsiveness to changes in the regulatory environment; and – a compliance function that is efficiency, fit for purpose and guided by materiality.
• Compliance should be the second-line of defence within the combined/ integrated assurance framework. This means that the compliance function should:
– be independent; and – have a reporting line to board or audit committee.
An introduction to King IVRemuneration • The board should ensure that the organisation incentivises shared-value creation, including:
– remuneration policies that drive value-creation; – performance appraisals against agreed scorecard; – disclosure of remuneration processes and actual remuneration against the achievement of shared-value objectives;– Reward of ethical behaviour; – NED remuneration;– Shareholder binding vote on remuneration; and– Linkage of reward with KPIs.
An introduction to King IVStakeholders • The board should ensure that stakeholders and their legitimate expectations inform strategy. This involves:
– identification of stakeholders; – definition of “material” stakeholders; – drafting a matrix of stakeholders and expectations; – linking stakeholder interests to strategy, risk and opportunity; and – considering resources required.
• The board should ensure that the outcome of stakeholder engagement is inclusive, effective and efficient and responsive to legitimate interests of all material stakeholders. This entails the following:
– dedicated accountability for stakeholder relationships and reporting; – drafting a stakeholder map; – drafting a stakeholder management and communication plan, including platforms and mechanisms for engagement; and – measurement of the quality of relationships, including proximity, frequency, parity etc.
• The board should ensure that the organisation as a responsible corporate citizen creates value for its stakeholders in a sustainable manner. This involves the following:
– determining a shareholder value framework and monitoring and review against framework; and – disclosing stakeholder value created and destroyed.
An introduction to King IVShareholders • The board should pro-actively develop relationships with shareholders so as to strengthen the ability of shareholders to act in accordance with
relevant codes that guide shareholder responsibilities. The practices that would support this are the following: – the continual identification of shareholder groupings through shareholder registers, the classification of shareholder groupings that feed
into a shareholder engagement plan. – measuring the quality of shareholder relationships.– setting up structured engagements. – incorporate shareholders’ ability to affect value-creation in the risk register.– determining the process for identifying and addressing conflicts of interest.
Jim LaffertyService Delivery ManagerCapita Company Secretarial Services
European Corporate Governance Developments 2016
Agenda• Shareholders Rights Directive (“SRD”)
• Market Abuse Regulation (“MAR”)
• General Data Protection Regulation (“GDPR”)
• Key 2016 dates
2016
GDPR expected approval
SRD expected implementation
MAR in force from July 2016
Shareholders Rights Directive• Proposal by European Commission in 2014 with an aim to strengthen
shareholders rights and modernise corporate governance.
• Main areas addressed in the revised Directive:
• Shareholder identification
• Remuneration report voting
• Country by country reporting
• Implementation is expected in mid-2016 with member states required to adopt within 18 months from this date.
• This is a Directive rather than a Regulation.
Market Abuse Regulation• Comes into force on 1 July 2016 with the aim of enhancing market integrity while
ensuring a single rulebook and level playing field across the EU.
• Main areas addressed by MAR:
• Insider lists – enhanced requirements
• Changes to PDMR transactions
• New provisions for the disclosure of insider information
• Expect greater scrutiny by the FCA following the formal implementation.
• Provisions are known so act now to ensure a smooth transition.
General Data Protection Regulation• Formal approval expected in Q1 2016 with member states having 2 years to
implement the changes.
• Main areas addressed by the regulation:
• Explicit consent and digital age of consent• Broader right to be ‘forgotten’• ‘One-stop shop’ for data protection complaints• Increasing company liability for breaches
• This is a Regulation rather than a Directive.
• Tiered approach to penalties for breach, some infringements can be up to 4% of worldwide turnover.
Corporate Governance Trina Hill, March 2016.
Syllabus outline
Candidates are required to discuss in detail statutory rules and the principles or provisions of governance codes, and apply them to specific situations or case studies.
Strong UK emphasis (UK Corporate Governance Code 2014) - other codes can be cited in answers but must be referenced.
Syllabus outline15% weighting 10% weighting
Effectiveness of the board and committees
General governance principles
Board of directors and leadership
Risk management and internal control
Governance and accountability
Remuneration
Relations with shareholders
Corporate social responsibility
Other governance issues
Examination format
• 3 hours and 15 minutes (including reading time)
• Answer 4 questions in total (out of 6)
• Questions may ask for a particular form of answer (e.g. a report to the board)
• Scenario based questions
• Each question carries 25 marks
How to pass
50% > = Pass set out principles,
no/limited application
65% > = Merit discuss and apply
principles
75% > = Distinction “discuss in detail and
apply”
Corporate Governance November 2015 exam
• Question 1: general principles/board composition
• Question 2: financial reporting/auditors (governance and accountability)
• Question 3: shareholder relations
• Question 4: remuneration
• Question 5: risk management
• Question 6: other governance (unlisted co)
Question 1
• Prepare a report to the board
• Describe OECD principles and main principles of UK Corporate Governance Code 2014
(14 marks)
• Changes required to board and committees of Elmer plc to become a ‘smaller’ listed company
(11 marks)
Script for Question 1
Distinction level answer
• What has the candidate done well?
• What improvements could be made?
Question 2
• Explain what a ‘going concern’ statement is (5 marks)
• Describe responsibilities of directors (listed co) for financial reporting under CA 2006 and UK CG Code.
(14 marks)
• Discuss division of responsibility between directors and external auditors for prevention and detection of fraud.
(6 marks)
Question 3
• Describe the rights and powers of shareholders and proxies and explain how those relate to the situation regarding Monk nominees Ltd
(14 marks)
• What is meant by ‘shareholder activism’ ,explain how Bailey plc can improve engagement and dialogue with major shareholders, including Monk, both prior to and at the AGM
(11 marks)
Question 4
• Discuss why remuneration is recognised as an important governance issue and the role of shareholders in monitoring it.
(8 marks)
• Explain the role and composition of the remuneration committee (under UK CG Code)
(8 marks)
• Describe and explain the matters which the remuneration committee (of Took plc) should consider when preparing for the AGM. (9 marks)
Question 5
• Identify the UK CG Code principles in respect of risk management (8 marks)
• Discuss the differences between strategic and operational risk; describe the general risk areas, with examples as relevant to Loran plc
(9 marks)
• Define the key elements of a disaster recovery plan (8 marks)
Question 6
• Contrast the approach to corporate governance in listed and unlisted companies and outline general principles applicable to all unlisted companies (12 marks)
• Prepare a schedule of matters reserved for the board; explain why this would be useful to Morton Ltd.
(13 marks)
Script for Question 6
Fail B level answer
• Less than 3 marks away from a pass
• What did the candidate do well?
• What improvements could be made?
• 7 more marks needed for a merit or 9 more marks needed for a Distinction
Are there any questions?
Thank you
www.chiron-risk.com
Risk Literacy
What is it & why is it important?
Prof Garry Honey 8 March 2016
www.chiron-risk.com
Agenda
1. Literacy – definition & context
2. Boards & Risk – conduct & culture
3. Company Secretary – role & responsibility
4. Future challenges – forecasting & facilitation
www.chiron-risk.com
1. Risk Literacy
www.chiron-risk.com
Language of Risk
Approach – Do we seek or avoid, Is it a threat or an opportunity?
Appetite – How much should we take, what reward and controls?
Tolerance – What penalties will we bear, what is Acceptable risk?
Literacy – Maturity and experience in coping with uncertainty
www.chiron-risk.com
Wet floorInvitation or warning?
Approach: opportunity or threat?
www.chiron-risk.com
Invitation or warning?
perception is everything……
www.chiron-risk.com
Perception of risk
As a Threat - not everyone agrees on what risk actually means:
• Business interruption threats – inconvenience
• Potential accidents & personal hazards – liabilities
• Incidents where non-compliance occurs – censure
• Events which could lead to a financial impact – cost
Lawyers, Accountants & Insurers each see risk differently
Significantly Regulators and Investors do also!
www.chiron-risk.com
Attitude to Risk
Perception of Risk
Individuallevel
Teamlevel
Departmentlevel
DivisionalLevel
CountryLevel
RegionalLevel
GlobalCorporate
Chief Risk Officer / Director of Risk
Chief Financial Officer /Finance Director
Chief Legal Officer / General Counsel
Non-Exec Directors - NEDs
Compliance Director / Head of Internal Audit
Company Secretary
Chief Executive Officer / Managing Director
Chief Operating Officer / Operations Director
Chairman
Attitude + Perception = Approach
www.chiron-risk.com
External environment• Marketplace• Moment - circumstance
Internal culture• Attitude to risk• Nature of business
Past experience• Probability & severity• Future forecast
Business priority• Growth or consolidation• sales or safety
APPETITEWhat risks are we prepared to take?
Hunger : risk seeking to aversion
TOLERANCEWhat level of loss is acceptable?
Pain: quantification of loss
Appetite + Tolerance
www.chiron-risk.com
risk literacy is not maturity
Conscious Unconscious
Competent 3. MaturingWe know about risk
We also know how to manage ite.g most FTSE 100 companies
4. Very matureRisk is culturally integralWe know how to handle it
e.g Investment banks, gamblers
Incompetent 2. AdolescentWe know about risk, but still
We aren’t capable of managing ite.g Hospitals & schools
1. ImmatureWe don’t know much about risk
We aren’t capable of managing ite.g Church & Third sector
www.chiron-risk.com
Risk Literacy
‘Information (environment) fosters understanding (cognition).Non-transparent forms create confusion. Our brain is better at dealing with risks when they are represented as natural frequencies rather than conditional probabilities, better when they are represented as absolute rather than relative risks…….
……people strive towards certainty - which does not exist. We need people who can cope with risk and deal with it in an informed way’
Center for Risk Literacy, Max Plank Institute, Berlin
www.chiron-risk.com
Risk as Future Uncertainty
‘Risk is a word that engenders a sense of urgency because it alludes to the
probability of adverse, sometimes catastrophic, outcomes. Much of the urgent acrimony stems from a lack of agreement about the meaning of the word. People are using the same word to refer to different things…
…risk is a word that refers to the future. It has no objective existence. The future exists only in the imagination’
Prof John Adams, UCL - Risk
www.chiron-risk.com
Risk Literacy - summary
Literacy is important because the future is uncertain, it is unrealistic and imprudent to offer certainties or reassurance about the unknown or unknowable:
Risk is about future uncertainty…and the probability of events occurring which impact business continuity
Strategy is about future direction…. and the route chosen to achieve pre-determined goals or business objectives
www.chiron-risk.com
2. Boards & Risk
www.chiron-risk.com
Risk Culture
Risk has become a field of expertise since 2008
Most firms have a CRO or Risk Committee
Risk reporting is a statutory requirement
Risk often sits within:
– Finance - Assurance, Audit– Compliance - Governance & Regulation– Operations - Liquidity, Safety etc.
www.chiron-risk.com
Risk specialism is a myth
Risk has become a control function
Continuity
Contingency
Control Risk management
Conduct Regulator compliance
www.chiron-risk.com
Risk Management
Future uncertainty – • not just danger or disruption • can also represent opportunity
Our response is to – • reduce damaging uncertainty • control our destiny & remove surprise
Risk management has become –• a framework of control systems (ERM)• that deliver the illusion of control
www.chiron-risk.com
HighSeverity
Medium Severity
Low Severity
Low probability
Medium probability
High probability
Heat map – visualised control
www.chiron-risk.com
Risk Registers
Lists of possible interruptions (known unknowns)
Ranked by probability and impact/cost (based on estimates)
Responsible individuals named (potential blame-owners)
Contingency actions identified (based on estimated impact)
Provided for external auditors (who don’t scrutinize content)
Reviewed at board meeting annually (so risks don’t change much)
www.chiron-risk.com
Management & Control
How are we going to control risk? – wrong question
How are we going to reduce uncertainty? – right question
www.chiron-risk.com
Risk Type ReportingFrequency
Control & Predict
Strategy Examples
Market Risk Occasional Hardest Mitigate marketplace - exchange or interest rates, taxation, government policy, competitor activity, pricing, product demand etc.
Operational Risk Regularly Easiest Retain & manage
business - financial, insurance, liquidity, credit, capital, project, ERM, corporate responsibility, brand activity etc.
Strategic Risk Rarely Difficult Avoid or mitigate
direction - impact on chosen strategy, sustainability, reputation, culture & corporate behaviour, value alignments.
Principal RiskSignificant Risk
Statutory requirement
Difficult Manage realisable value - ROI, significant to investors - share price, reputation etc.
Risk Reporting
www.chiron-risk.com
Risk accountability & reporting
Reporting to external audiences –
– Demonstrate compliance to regulator - governance
– Provide confidence to investors - control
Reporting to internal audiences –
– Specify controls for risk management - systems
– Manage potential business interruption - impacts
www.chiron-risk.com
Why we report risk
Compliance – disclosure for regulators & auditors
Confidence – inspiration for investors and key influencers
Confirmation – vindication of strategy & management
Communication – with all key stakeholder audiences
www.chiron-risk.com
Boards & Risk - summary
It only works if we are honest and open about risk as uncertainty. Many of our audiences naturally seek certainty. In giving them this based on control systems are we setting ourselves up a for a fall?
Could the Company Secretary play a positive role in risk literacy?
www.chiron-risk.com
3. Company Secretary role
www.chiron-risk.com
Henley report 2014
Pivotal figure in boardroom
Facilitator of key decisions & board effectiveness
Vital link between Exec & Non-Exec members
Increasingly an outward facing role, not just internal admin.
Regulators want to see greater risk literacy
www.chiron-risk.com
FRC on risk 2011
Why is corporate risk reporting inadequate?
1. Board responsibility and ownership – approach to risk
2. Nature of risk needs more explanation – interpretation of risk
3. Reporting is not just about compliance – information about risk
www.chiron-risk.com
Risk Literacy & Risk Governance
1. Approach to riskThe Board is responsible for determining the approach to risk, setting its culture, risk identification, oversight of risk management, and crisis management. It is a shared responsibility.
2. Interpretation of riskThe Board needs to agree its appetite or tolerance for key individual risks; to understand the company’s exposure to risk and how this might change….. companies should indicate to shareholders when and to what extent they believed their exposure to risk was changing.
3. Information about riskQualify why the reported risk is significant, why it represents a threat and what the organisation is doing to control this. Explain how readers will know when a risk ceases to exist and explain contingent factors that increase or decrease this risk.
www.chiron-risk.com
Some recent guidelines -
LSE - Risk Culture in Financial Organisations (Jul 2013) BS 13500 - Effective Governance Standard (Oct 2013)FSB - Risk Culture Guidance (Apr 2014)IBE - Business Ethics in Corporate Reporting (May 2014)FRC - Guidance on the Strategic Report (June 2014)IIA - Culture and Internal Audit (July 2014)FRC - Corporate Code update (Sept 2014)OECD - Principles of Corporate Governance (Nov 2014)ACCA - Channelling Corporate Behaviour (Dec 2014)FRC - Report on Corporate Governance & Stewardship (Jan 2015)Deloitte - The Changing Role of Compliance (Apr 2015)ICSA – The Company Secretary – Building Trust through Governance PRA – Corporate Governance – Board Responsibilities (May 2015)
74
www.chiron-risk.com
4. Future challenges
www.chiron-risk.com
Guard against cognitive bias in boardroom
1. Representation bias- tendency to categorise new risks according to how much they resemble familiar risks
2. Availability bias- tendency to judge risks if they can think of examples, hence depends on their exposure & experience
3. Anchoring bias- tendency to view risk depending on the starting point or frame of reference
4. Hindsight bias - tendency to rely on perceived competence in previous risk handling; failing to learn from experience
5. Cognitive dissonance- tendency to close distance between two positions & reduce tension; tend to justify after the fact
6. Confirmation bias- tendency to seek evidence to confirm a viewpoint, tendency to ignore conflicting evidence
Source – Lloyds Emerging Risks – Bear, Bull & Lemming 2010
www.chiron-risk.com
Guard against ‘Groupthink’
‘An excessive form of concurrence seeking among members of high prestige, tightly knit policy-making groups in which group members come to value the group and being part of it more highly than anything else…….
…this causes them to strive for a quick and painless unanimity on the issues that the group has to confront……group members suppress personal doubts, silence dissenters and follow the group leader’s suggestions…..
…the results are a distorted view of reality, excessive optimism producing hasty and reckless policies, and a neglect of ethical issues.’
Source: P.Hart ‘Victims of Groupthink’ – Political Psychology 1991 Based on I.Janis ‘Psychological study of foreign policy decisions’ 1972
www.chiron-risk.com
Promote risk as Philosophy not Function
Risk as FUNCTION
• Damage limitation• Business continuity• Controls & systems• Threat mitigation
Risk as PHILOSOPHY
• Reducing uncertainty• Growth opportunity• Understanding bias• Commercial advantage
Strategic riskOperational risk
Good Governance…….including risk governance
www.chiron-risk.com
Ensure compliance with SMR
FCA Senior Managers Regime (SMR) :Consultancy paper: Strengthening accountability in banking: a new regulatory framework for individuals Feedback March 2015 ref CP 15/9
Proposals put out in consultation paper for industry feedback based on Parliamentary Commission on Banking Standards (PCBS) and powers granted by the Financial Services (Banking reform) Act 2013.
HM Treasury wants implementation by 7 March 2016, so companies have a year in which to secure compliance with the regime – which replaces the Approved Persons Regime (APER).
The SMR is ‘the new regime for individuals who are subject to regulatory approval, which focuses on senior individuals who hold key roles or have overall responsibility for key areas’ (1.11).
www.chiron-risk.com
Ensure compliance with EU Directives
• Directive 2014/95/EU - Non-financial reporting
• European Parliament adopted on 15 April 2014 • Council of the European Commission adopted on 29 September 2014
• Companies (with 500+ employees) will need to disclose information on policies, risks and
outcomes as regards environmental matters, social and employee-related aspects, respect for human rights, anti-corruption and bribery issues, and diversity in their board of directors…. Companies will be required to disclose concise, useful information necessary for an understanding of their development, performance, position and impact of their activity,
80
www.chiron-risk.com
Explore causes of uncertainty
Uncertainty as variability (aleatoric)A range of outcomes possible - you can’t be sure which one might actually happen.
Uncertainty as ambiguity (epistemic)A number of outcomes possible – you don’t have enough information.
Uncertainty as unknown (ontological) The Donald Rumsfeld unknown-unknowns which are really unknowable-unknowns. Risks we do not see because we don't know that we should be looking for them.
www.chiron-risk.com
Control what you can
The essence of risk management lies in maximising the areas where we have some control over the outcome, while minimising the areas where we have absolutely no control over the outcome’
‘Against the Gods, the remarkable story of risk’ Peter Bernstein
www.chiron-risk.com
Summary
Use your unique position to challenge risk as a specialism
Use diplomacy to help the board engage with uncertainty
Promote improved risk literacy Know when to call for reinforcements
www.chiron-risk.com
Audit Related Matters Perspectives from an Audit Chairman, an Auditor and a Company Secretary
ICSA Annual Conference
Introduction to the Panel
Ian Barlow, Chairman Audit Committee, Smith & Nephew plc
Stephen Oxley, KPMG, Audit Partner, Smith & Nephew plc
Susan Swabey, Company Secretary, Smith & Nephew plc
KPMG have just completed their first audit for Smith & Nephew having been appointed to replace auditors who had been in place since 1937.
Topics for Discussion• Changing Dynamics
• between the Non-Executives and the Executive team • between the Board and the Audit Committee
• Conducting an audit tender• Enhanced reporting on Activities of the Audit Committee• Changes to the UK Corporate Governance Code
• Risk management & risk and controls monitoring• Viability statement
• Tax transparency – looking ahead to country by country reporting• What does the Audit Committee Chairman expect from the Company
Secretary or Secretary to the Audit Committee?
Changing Dynamics – View of the Audit Committee Chairman
• The UK has a unitary Board system and directors share joint and several liability
• Audit Committees have increasing responsibilities, many quasi-executive in nature – eg managing the internal audit function, agreeing audit fees, audit tenders.
• Audit Committees are also responsible for independent oversight of the financial statements and key judgements – the FRC is now emphasising the Audit Committee makes its own independent enquiry, rather than relying on management or the auditors
• Relationship with the Board has changed, with Audit Committee doing heavy lifting on matters such as risk management processes, fair, balanced and understandable.
• Fine balance between exercising oversight and becoming too involved. Need to take care that the role of an Audit Committee member does not become too “executive”.
Changing Dynamics – View of the AuditorThe recent CMA Order requires FTSE350 companies to tender their audit every 10 years and, through disclosure, encourages 5 year tenderingEU reforms set to• introduce MFR and a ‘blacklist’ of prohibited non-audit
services• Create specific legislative requirements around audit tendersThe Code (and FRC Guidance on Audit Committees) set to ‘require’:• Sectorial competence on the AC and at least one member
with competence in accounting and/or audit• New disclosures focussed on audit committee effectiveness
and the impact of both FRC audit inspections and corporate reporting reviews
The new environment is indirectly driving innovation in areas like auditor reporting and data & analytics
Conducting an Audit Tender (1)Only the audit committee is permitted to initiate / supervise the tender process, and make the recommendation(s) to the board The audit committee must ensure that:• the tender process does not
preclude the participation of non-Big 4 firms
• tender documents allow invited auditors to understand the business
• the proposals are evaluated in accordance with predefined transparent selection criteria
• consideration is given to any inspection report findings
• the company can demonstrate that the selection procedure was fair
The committee must identify its first and second choices for appointment and give reasons for its choices.
• Audit tenders at least every 10 years
• Mandatory auditor rotation at 20 years
• Transitional rules based on the length of audit tenure
Conducting an Audit Tender (2)Date ActionApril 2014 (pre tender process)
Each firm presents to Audit Committee
Late May 2014 2 days of presentations and workshops, access to senior management
End June 2014 Submission of written tenders Early July 2014 Presentation to Steering Committee
(audit question added in to process in last 48 hours)Meeting of Steering Committee , then announcement
Autumn 2014 Commence shadowing processJanuary 2015 Shadow audit process of retiring auditorsApril 2015 Formal appointment by shareholders at AGMJuly 2015 Audit of first half yearFebruary 2016 First full year audit completed
Conducting and Audit Tender (3)
• Ensuring independence and avoiding conflicts
• Getting to know a new auditor ……and a new client
• Lessons learned
Enhanced Reporting Requirements (1)Audit Committee Reports
The ‘Code’ now requires disclosure of:
• the significant issues considered in relation to the financial statements, and how addressed
• an explanation of how the effectiveness of the external audit process was assessed
• the approach taken to the appointment or reappointment of the external auditor, the length of tenure of the current audit firm and when a tender was last conducted
• an explanation of how auditor objectivity and independence are safeguarded
FRC Financial Reporting Lab pushing for more granularity
Audit Reports
Changes to Auditing Standards now require that audit reports include:
• Audit risk• Audit materiality• Audit scope
Innovation has resulted in
• Company specific reporting• Graphics• Disclosure of ‘findings’ (eg, Rolls-
Royce)
Enhanced Reporting Requirements (2)
• Introductory letter from Audit Committee Chairman
• Discussion on areas of judgment and how they were resolved
• Ensuring alignment with the Auditors’ Report
• Enhanced disclosures on audit supervision – independence, non-audit fees, tenure, tendering, quality – and scope and materiality
• Audit Committee effectiveness
Risk Management and the Viability Statement (1)• Disclose the principal risks and how mitigated• Confirm that the directors’ have performed a robust
assessment of the principal risks• Clarification that the board’s should review the effectiveness of
internal control and risk management systems on an ongoing basis – not a year-end exercise
• Disclose the actions taken to remedy significant failings or weaknesses
• Disclose how the prospects of the company have been assessed, over what period and why that period is appropriate
• Confirm that the directors have a reasonable expectation that the company will continue in operation and meet its liabilities as they fall due over the period of the assessment
Risk Management and the Viability Statement (2)Risk management: 5 things we have learned• Increased focus on risk
management disclosures – more disclosure around the process
• Graphics are much more prevalent
• Principal risk disclosures are dynamic – new risks have been added (or taken out)
• Companies are starting to talk about risk culture
• Companies are stating to talk about risk appetite
Viability statements: 5 things we have learned• The majority of statements are
in the Strategic Report• Most are with, or adjacent to,
the principal risk disclosures• Assessment periods are usually
based on the existing mid-term planning cycle
• Around 2/3 have chosen three years and around 1/3 five years
• So far, very few go beyond generic statements around the assumptions and qualifications
Risk Management and the Viability Statement (3)• Audit Committee reviewed risk management process in
February and July and considered the reporting requirements in October and again in February 2016
• During the year, the Board re-appraised our tolerance to our principal risks, conducted a “black swan” exercise, held Board Development Session focused on risk management and risk appetite and carried out at “risk Deep Dives” into Cyber Security and single site dependency.
• Asked Internal Audit to evaluate the effectiveness of our risk management programme
• Group Finance modelled worst case scenarios focusing on our principal risks and then assessed impact of aggregating some of the risk and then comparing with our funding facilities
• Updated the risk disclosures in our Annual Report. Viability Statement sits in the Annual Report at the end of our discussion on risk and covers a period of three years
Tax Transparency Agenda• OECD issued final BEPS reports on 5 Oct, 15 Actions identified. Individual countries
deciding how to implement• Country by Country Reporting (CBCR) accepted by OECD and G20 countries as
minimum standard. Effective for years beginning on or after I Jan 2016 and will require sharing of information including revenue, profit, tax paid and employee numbers on a country by country basis with other tax authorities adopting the guidelines
• Other proposals affecting multinationals include rewritten transfer pricing guidelines to align returns with value creation and proposed restrictions on the deductibility of finance costs, including external interest
• Separately HMRC have launched a consultation on the publication of tax strategy and a voluntary code of practice incorporating a common set of principles that multinationals will be encouraged to sign up to
What does the Audit Committee Chairman Expect from the Company Secretary or Secretary to the Audit Committee• Getting the basics right – efficient marshalling and distribution of papers,
organising and timing of meetings and production of minutes/follow up actions• Independent support – on fulfilling statutory Audit Committee requirements e.g.
‘fair, balanced and understandable’, internal reporting to Audit Committee e.g. by Internal Audit
• Liaison between Audit Committee and executive – where needed e.g. in preparation of papers particularly in emerging areas like Risk.
• Ownership of Annual Report & Accounts – to ensure coherent, comprehensive and compliant content
• Company Secretary is key governance contact links to Internal Audit, Risk function, General Counsel, Finance team