enterprise governance, risk and compliance …...may 11, 2005 page 6 pricewaterhousecoopers...
TRANSCRIPT
Enterprise Governance, Risk and Compliance Management
Pharma ColloquiumPrinceton University
June 6, 2005
P w C
May 11, 2005Page 1
PricewaterhouseCoopers
Agenda
• PwC Global CEO Survey on Governance, Risk and Compliance
• Regulatory Expectations
• COSO Enterprise Risk Management
• Open Compliance and Ethics Guidelines
May 11, 2005Page 2
PricewaterhouseCoopers
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance
• PricewaterhouseCoopers recently released the results of its 8th Annual Global CEO Survey. This year’s survey focuses on governance, risk management and compliance (“GRC”), areas of critical concern to business leaders in every industry.
• For this year’s report, more than 1,300 CEOs in a wide range of industries were asked to state their perceptions of GRC and to assess their progress, successes, and their failures.
May 11, 2005Page 3
PricewaterhouseCoopers
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance
HIGHLIGHTS OF THE CEO SURVEY
• Very few CEOs (7 percent) view GRC as related solely to laws andregulations, and a majority (54 percent) consider GRC to be an integrated set of concepts and practices. Yet, only 25 percent state that they are managing GRC effectively.
- While a majority of CEOs are very confident that their organizations can respond to GRC matters related to domestic laws and regulations (68 percent) and to internal policies and procedures in domestic business units (57 percent), only 26 percent are very confident that their organizations can respond to similar matters related to foreign laws and regulations and only 24 percent to matters related to internal policies and procedures in foreign business units.
May 11, 2005Page 4
PricewaterhouseCoopers
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance
• In high numbers, the CEOs credit GRC with having a major, positive effect on legal liabilities (64 percent) and on reputation and brand (56 percent). However, they perceive other benefits less clearly.
• While many CEOs say that they adequately address stakeholders' concerns that are based on clear-cut legal requirements, fewer feel the same level of comfort with other constituents, whose expectations are more ambiguous.
• Fifty-eight percent of the CEOs indicate that GRC expenditures are primarily an investment; 38 percent view them primarily as a cost. Only 17 percent of all CEOs state that they can very accurately measure GRC costs.
May 11, 2005Page 5
PricewaterhouseCoopers
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance
• The 25 percent of CEOs who state that they are managing GRC effectively have an advantage over their peers in perceiving GRC benefits and in responding to stakeholders' GRC concerns. Advantages are also evident when business units feel ownership of GRC issues and when the organization and collection of GRC information are fully automated.
• The CEOs are optimistic about the future. Over 90 percent express confidence in their companies' prospects for revenue growth over the next 12 months.
• In response to low-cost competition, nearly 40 percent of the CEOs are engaging in offshoring or planning to do so. While these CEOs see the benefits of offshoring, they also perceive the risks.
May 11, 2005Page 6
PricewaterhouseCoopers
Regulatory Scrutiny and Expectations
• Regulators looking for an enterprise-wide approach.
• Regulators are focusing on conflicts of interest and business conduct.
• Regulators lack confidence in traditional governance, risk management and compliance practices.
• New standards have emerged to address expectation gap:- NYSE Corporate Governance Standards- COSO Enterprise Risk Management Framework and Application
Techniques- US Sentencing Commission Guidelines on Effective Compliance and
Ethics Programs- Open Compliance and Ethics Guidelines
May 11, 2005Page 7
PricewaterhouseCoopers
The COSO Enterprise Risk Management Framework and Application Techniques Were Released in September 2004
• Genesis- Framework development launched in early 2001- Over 10,000 hours of development time- Three month public exposure period, over 78
comment letters received and considered• The Framework
- A definition of risk and risk management- Concepts, categories, principles and common
terminology- Key components of an effective risk management
program- Direction for enhancing existing risk management- Criteria for determining the effectiveness of risk
management• Application Techniques
- Examples of how principles can be applied Application Techniques
Framework
COSO ERM – Integrated Framework: Overview
May 11, 2005Page 8
PricewaterhouseCoopers
COSO ERM Proposes a Definition for Enterprise Risk Management
• Enterprise risk management:- Is a process- Is effected by the people- Is applied in strategy setting- Is applied across the enterprise- Is designed to identify events potentially affecting the entity
and manage risk within its risk appetite- Provides reasonable assurance to the entity’s management
and board- Is geared to the achievement of objectives
COSO ERM – Integrated Framework: Overview
May 11, 2005Page 9
PricewaterhouseCoopers
The Enterprise Risk Management Framework
• Starts with objectives• Applies to activities at all
levels of the organization• Has eight interrelated
Components
• Events and risks• Risk appetite and risk
tolerance• Portfolio view
COSO ERM – Integrated Framework: Overview
Foundational AspectsFoundational Aspects
Key ConceptsKey Concepts
May 11, 2005Page 10
PricewaterhouseCoopers
Key Concepts: Events and Risk
• An Event is an incident or occurrence that could affect the implementation of strategy or achievement of objectives.
• Distinguish risk and opportunity- Risk is the possibility that an event will occur and adversely
affect the achievement of objectives.- Events that may have a positive impact represent natural
offsets or opportunities.
• Risks are measured using the same unit of measure as the related objectives.
• Time horizons are specified and aligned with objectives.
COSO ERM – Integrated Framework: Overview
May 11, 2005Page 11
PricewaterhouseCoopers
Key Concepts: Managing Risks Within Risk Appetite and Risk Tolerances
• Risk appetite is a high-level view of how much risk management and the board are willing to accept
• Management forms a risk appetite at the entity level
• Management establishes risk tolerances, which are the acceptable level of variation around objectives, and align with risk appetite
COSO ERM – Integrated Framework: Overview
May 11, 2005Page 12
PricewaterhouseCoopers
Key Concept: Assigning Roles and Responsibilities
Approach 2Approach 1 Approach 3
Senior ManagementSenior Management
Identify, Assess, RespondIdentify, Assessrisks
Respond
Board Board
CentralFunction(s)
CentralFunction(s)
CentralFunction(s)
Senior Management
Board
May 11, 2005Page 13
PricewaterhouseCoopers
The Open Compliance and Ethics Guidelines
• OCEG integrates effective practices associated with multiple disciplines into a framework of guidelines for managing compliance and ethics
- Governance- Compliance / Legal Management- Ethics Management- Risk Management- Internal Audit- Human Capital Management- Change Management- Quality Management
PwC’s Point of View -Maximizing Value Through Strategic GRC Integrationwww.pwc.com/governance
May 11, 2005Page 15
PricewaterhouseCoopers
Integrate governance, risk management and compliance to drive value, effectiveness and efficiency
May 11, 2005Page 16
PricewaterhouseCoopers
Build on a foundation of Enterprise Risk Management and Internal Control
May 11, 2005Page 17
PricewaterhouseCoopers
Build a culture of compliance and ethics across silos
May 11, 2005Page 18
PricewaterhouseCoopers
Implement an operating model that integrates GRC over time and leverages both regulatory and quality best practices
May 11, 2005Page 19
PricewaterhouseCoopers
Strategically integrate Governance, Risk and Compliance Technology and Data Framework
Use of an integrated analysis framework for risk and compliance technology allows company to collect essential information and assess the current technology environment across the company. This comprehensive set of requirements can then form the basis of your risk and compliance technology strategy.
Secu
rity
Man
agem
ent
Web Portal(Dashboards/Reporting) E-Mail Other Devices
Data Repository Business ProcessManagement
BusinessRules Engine
Application Integration & Filtering Data Quality
Key Perf./Risk Indicators
Provisioning/Accountability
Customer DataManagement Survey Other Modules
Structured Data Company Specific
GLFront Office
SystemsBack Office
SystemsOperational Databases
ExternalData
OtherDatabases
Unstructured DataCompany Specific
Policies & Procedures
Content/Doc Mgt Other
III. Repository & Processing
I. Sources
II.Connectivity &Quality
IV. Compliance Modules
V. UserInteraction
May 11, 2005Page 20
PricewaterhouseCoopers
Practical Considerations and Evaluation Principles
• Benchmark against leading practices (industry, COSO, FSG, OCEG)• Use risk-based approach to assess and recommend depth of
management, monitoring, auditing and reporting activities • Develop risk-based monitoring and reporting framework:
• Periodically risk assess inventory of requirements based on likelihood and impact • Apply graduated monitoring resources as risk of non-compliance increases (self
assessment, compliance monitoring, internal audit, third-party review, etc)• Involve board and senior management committees in reviewing and approving this
framework and on an ongoing basis in reviewing and approving ongoing risk assessments and strategic allocation of monitoring resources based on framework principles
• Focus on regulatory expectations regarding independence and authority • Assess and recommend structure, roles and responsibilities in a manner
that leverages existing strengths and considers practical criteria, such as:
– Where does the core competence and subject matter expertise reside?– Who is closest to the activity/ risk?– How to best ensure ownership, authority and independence?
May 11, 2005Page 21
PricewaterhouseCoopers
Carlo di FlorioDirector, Governance, Risk & Compliance Practice PricewaterhouseCoopers – New York646-471-2275
• An international lawyer by training, Carlo has worked globally helping leading companies assess, improve and sustain corporate governance, risk management, compliance and ethics leading practices
• Carlo Is widely published, serves on a number of standard setting bodies, and is a frequent speaker on the subject of corporate governance, risk management, compliance and ethics. Carlo served on the PwC team that authored the COSO Enterprise Risk Management Framework and Application Techniques, and serves on the Steering Committee of the Open Compliance and Ethics Guidelines.
May 11, 2005Page 22
PricewaterhouseCoopers
AppendicesERM
May 11, 2005Page 23
PricewaterhouseCoopers
Considerations in Applying the ERM Framework
• Enterprise Risk Management Vision – Develop a vision that sets out how enterprise risk management will be used going forward and how it will be integrated within the organization to achieve its objectives, including how the organization focuses its enterprise risk management efforts on aligning risk appetite and strategy, enhancing risk response decisions, identifying and managing cross-enterprise risks, seizing opportunities, and improving deployment of capital.
• Capability Development – The current state assessment and the enterprise risk management vision provide insights needed to determine the people, technology, and process capabilities already in place and functioning, as well as new capabilities that need to be developed.
Considerations in Applying the Framework
May 11, 2005Page 24
PricewaterhouseCoopers
Considerations in Applying the ERM Framework (continued)
• Implementation Plan – The initial plan is updated and enhanced, adding depth and breadth to cover further assessment, design, and deployment.
• Change Management Development and Deployment – Actions are developed as needed to implement and sustain the enterprise riskmanagement vision and desired capabilities – including deployment plans, training sessions, reward reinforcement mechanisms, and monitoring the remainder of the implementation process.
• Monitoring – Management will continually review and strengthen risk management capabilities as part of its ongoing management process.
Considerations in Applying the Framework
May 11, 2005Page 25
PricewaterhouseCoopers
Organization Structure (continued)
Our experience indicates that the benefits perceived by institutions of increased centralization include:
• Enhanced Independence & Objectivity
• Enhanced Visibility & Stature Across the Organization
• Enables Greater Understanding & Reporting of Enterprise-Wide Risk
• Improves Coordination & Consistency in Monitoring and Change Management
• Allows Flexible Resource Deployment
May 11, 2005Page 26
PricewaterhouseCoopers
Organization Structure (continued)
• Objective: Compliance and Ethics function staffing is sufficient to meet program needs. This includes staff skills, expertise, and experience.
- Leading practices can include:
• Regulation, product, and subject matter specialists• Project management specialists• Technology, risk modeling, data mining, and board/ management
reporting specialists• Specialized units in highly-regulated industries (e.g., an advisory unit, a
monitoring unit, an examination liaison team, rapid response team, etc.)
- Our experience indicates that institutions have found that it is important to consider segregation of duties where appropriate within the function or program, or between centralized resources and line of business “embedded” resources (e.g., advisory & monitoring functions)