to make a positive · to make a positive difference to the retail industry and the customers it...
TRANSCRIPT
TO MAKE A POSITIVE DIFFERENCE TO THE
RETAIL INDUSTRY AND THE CUSTOMERS
IT SERVES
A GREAT PLACE
TO WORK
VIBRANT CONSUMER FOCUSED
RETAIL
GOOD FOR THE
ECONOMY
GOOD FOR CONSUMERS & COMMUNITIES
CAREERS Pay and progression Skills development
Employment practices
VIBRANT CONSUMER
FACING RETAIL
Contribution to communities
Product integrity Consumer and business trust
COMMUNITIES
Business taxation International trade
& EU regulation
COMPETITIVENESS Better regulation & enforcement
CHRISTMAS 2015
Source:
ON
S
5 4 3 2 1 0 -1 -2 -3 -4 -5 -6
QoQ % Change
Q1 2007
Q3 2007
Q1 2008
Q3 2008
Q1 2009
Q3 2009
Q1 2010
Q3 2010
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 2015
-50
-40
-30
-20
-10 0
10
Index
Jan-06 Aug-06 Mar-07 Oct-07 May-08 Dec-08 Jul-09
Feb-10 Sep-10 Apr-11 Nov-11 Jun-12 Jan-13
Aug-13 Mar-14 Oct-14 May-15 Dec-15
Source:
GfK
12% 10%
8%
6%
4%
2%
0% -2%
-4%
Con
sum
er S
pend
ing
(YoY
)
Source: ONS (Q3 2015)
4.5 4.1
4
3.5
3
2.5
1.5 1.8
1.0 1.0
0.5
0
1
1.5
2
Dec-11 Dec-12 Dec-13 Dec-14 Dec-15
Tota
l Sal
es Y
oY %
C
hang
e
Source: BRC-KPMG
2015/16
2014/15
2013/14
Dec Jan Feb
Christmas Black Friday
Source: BRC-KPMG
1. Consumers Don’t Think In Channels
11.2%
21.3%
0%
5%
10%
15%
20%
25%
2014 2020
Onl
ine
as %
of t
otal
reta
il sa
les £37bn
£78bn
CAGR: 13%
Source: Telefonica
Categories Driving Growth in Mobile Penetration 1.3 BILLION smartphones
sold globally in 2014 (+7%
YoY) 49%
58% 54% 53% 53% 51% 51% 49%
44%
40% 33%
30% 20% 10%
0%
50%
60%
Mob
ile
Pene
trat
ion
Source: BRC/Hitwise/ GfK
47%
39%
6% 2004 2005 2006
Town centre
Neighbourhood
13%
50% 45% 40% 35% 30% 25% 20% 15% 10%
5% 0%
2007 2008 2009 2010 2011 2012 2013 2014e
Out of town
*Non-store retail (incl catalogue)
Source: Verdict
2. Retailing Was, Is And Will Always Be All About The Consumer
Past
Functional
Present
Experiential
Drivers of Change
Physical • Planning • Demographical shift • Property • Transport • Consumer Choices • Technology
Digital Impact • Home Broadband • Multichannel Consumer
Choice • Growth of Connectivity • Proliferation of Mobile • Click and Collect
JEFF BEZOS ‚If you do build a great experience, customers tell each other about that. Word of mouth is very powerful.‛
STEVE JOBS ‘’You’ve got to start with the customer experience and work back toward the technology, not the other way around.‛
JOEL ANDERSON ‚I can't overstate how mobile is changing how we interact with our consumers, we have to embrace these changes’’
3. Industry Profitability Is Falling
YoY% change -ccn I I m:::t: -+::- N
'*' 0 N
'*' -+::- 0..
'*' '*' '*' '*'
I Dec-12 / :=co - c
Mar-13 > ) cn-c - - l ;c
Jun-13 I J l } en ....... I ( )
m )> Sep-13 r-t- ([) 0
m 3 U l Dec-13
T1 Mar-14 ( { l I
l/
1 1
{ I
r 1 1 Jun-14 ( (
( (
0 0 ....... a..
Sep-14 0 z \ \
I Dec-14 z 0 :::J
I Mar-15 0""""' 0a..
( f ) Jun-15 til 0 c., n ('])
OJ Sep-15 ;;o n · I z (']) n V1 (']) ::l
Dec-15
12%
10%
8%
6%
4%
2%
0% 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
EBIT
DA
Prof
it M
argi
n
Source: BRC Analysis/ DataStream
180 160 140 120 100
80 60 40 20
0
Inde
x
Food retailers - MV FTSE 250 - MV
Source: BRC Analysis/ DataStream
So Where Do We Go From Here?
• Consistency in brand delivery
• Managing high expectations
• Speed of response
• Speed of technological innovation
• Trust
• Pos Technology
• Beacons
• Augmented Reality
• 3D Printing
• Lockers
• Retailers Direct 3rd Party Networks
• Drones
Pay & Progression
Business Rates EU
DEVOLUTION HIGH STREETS & PLANNING
APPRENTICESHIPS
LATE PAYMENTS
ETHICAL LABOUR
LABELLING & ALLERGENS
TOY SAFETY
CYBER SECURITY
INTERCHANGE FEES WASTE
PRICING
DATA PRIVACY ENERGY
EFFICIENCY
1
Retail Audit Forum – London, January 21, 2015, P Courtemanche
‘Own Brand and Private Label Products Effective management of reputational and regulatory risk’
Session Plan
Opening presentation: 30 minutes on Ethic, Risk and Traceability within supply chains
• 10 minutes guided table discussions, • What assurance do you currently get across your whole
supply chain? • What can be improved and how?
Second presentation: 10 minutes on the Modern Slavery Act • 10 minutes guided table discussions, • What preparations are you making for MSA compliance? • Where do you consider yourselves most at risk?
Feedback: 30 minutes for tables to feed back, hold general Q&A and interaction
Ethical trade
Source: Professor Robert Hijmans, University of California
Each dot represents 250,000 people living on less than 2 dollars per day
Ethical trade
Over 3000
Africa’s new class pyramid
Less than $2/day
60%
Population living below the poverty level
Between $2-$4/day
Between
$4-$10/day
Between
$10-$20/day
More than $20/day
20%
9%
5%
6%
Floating class
Lower middle class
Upper middle class
Upper class
Source: AfDB
•
' / \ H .\
Efficient campaigning ...
-' car 2PETITIONS
Tell Nestle to Help Stop Slave Labor Used to Make Pet Food!
. . . .I I ' $UPPOIH£ S
00.000
Stop Nest/ f rom destroying rainforests f..o..r..p..s..,l.m......o..,i.llid..,
Nestle confirms labor abuse among its Thai seafood suppliers
AI> " ' • 'u" ''" wriiiOOU. - t.o. .fl'folfr:J :l:lS&.HFt.l
a a aa Y 1" X
2010 - Nest le stops pu rchasing ra in forest-dest roying pa lm o i l
r•w no. Mort k t 'illNY etreclireetobtl C:rtenptK& c"'.'f'elbl p t • , . l i f : l9 lhe Ki t " - ' t.w.""-' lfMt food 9MI'II t t o l l j
IO •tott purdli!ISinQ .,.rmo t t l t o m MUI 'Cb U..t o y l n n r•lnfOt'est.s-
....-
...... .. t I • , . . . , . , . . , . . . . . . . . . . ) ' " " ' - _ " ' , _ ,
Th
an
ks f
o r
the br
ea
k!
2015- Corporate Scandals accordingly to The Guardian
0 Matthias Muller, CEO ofVW, while addressing journalists in October 2015. Photograph :Odd Andersen/AFP/Getty Images
CD0® Q Aenal view of damages after a dam b u m n the (!)0 ® village of Bento Rodngues, in Mariana, Minas Gera1s state, Brazil, on November 6, 2015. Photograph · Christophe S!mon/AFP/Getty Images
What is at stake?
Market Value
Book Value
$217 B
$133 B
Brand Equity: $84 B
Market Value
Book Value
$177 B
$30 B
Brand Equity: $147 B
Market Value
Book Value
$22 B
$1.5 B
Brand Equity: $20.5 B
Finance data provided by:
Brand damage
Complex supply chains
Eating a hamburger and fries in Austria
Mineral supply chains
Smelter Electronic devices Exporter
‘’ EU smelters and refiners importing designated conflict minerals and metals will have to be certified by the EU to help cut funding to armed groups, if draft legislation is brought in this year.’’ April 15, 2015
‘’ MATERIALS used in your mobile phone and laptop could be fuelling sexual violence and war in places like the Democratic Republic of Congo, Burma and Colombia.’’ April 9, 2015
‘’ More than 1,300 U.S.-listed companies filed reports on their efforts to root out so-called conflict minerals in their supply chain, but only four companies were brave enough to face an audit, according to a report Thursday.’’ September 18, 2014
‘’ In 2013, rebel groups in DRC generated almost $1bn from minerals extracted from mines in conflict zones and use the profits to pay soldiers, buy weapons and attract new recruits… combatants are willing to use brutality to obtain minerals.” June 18, 2014
The conflict minerals issue:
Artisanal miner Electronic components
Slavery in prawn supply chain
CP FOODS Prawn farms
Large Thai food distributor Retailers
Fishmeal suppliers
Fishmeal fishing
‘’ A six-month investigation has established that large numbers of men were bought and sold like animals and held against their will on fishing boats off Thailand’’
‘’ Horrific conditions, including 20-hour shifts, regular beatings, torture and execution-style killings’’
‘’Some were at sea for years; some were regularly offered methamphetamines to keep them going.
Some had seen fellow slaves murdered in front of them’’ ‘’ In addition to Walmart, Carrefour, Costco and Tesco, the Guardian has identified Aldi, Morrisons, the Co-operative and Iceland as customers of CP Foods ‘’
Issues far down the supply chain:
The basics for procurement
The aim:
• The right product (spec compliant)
• Delivered in the right quantity, at the right place, at the right time (just in time)
• In a cost-effective manner
Running supply chains full speed…
What you need to ensure:
• Know and understand your supply chains
• Identify and asses the risks
• Manage the risk
• Have leverage over your suppliers
• Mitigate risks
• Have backup plans
What you need to avoid:
• Supply chain blindness
…at the lower cost
Being proactive or reactive?
Quality Control
Quality Assurance
Time
Cost
Brief
Design
Manufacture
Shipping
Distribution
Sale
Concerns & Returns
Being proactive or reactive?
Sourcing complexity/risks
Prof
it im
pact
Leverage supply
Non-critical supply
Strategic supply
Bottleneck supply
Supplier assessment & performance
Being proactive or reactive?
Chain of custody
Paper trail
Risks/Regulation
Repu
tatio
nal d
amag
e/Br
and
com
mitm
ents
Traceability of raw materials & products
Mass Balance traceability
Physical traceability
What are the options?
Certification Make your suppliers
responsible through contracts
Put yourself in the driver’s seat and take control
The Race to Trace*
*MIT CTL Roundtable - The Race to Trace: Integrating Profits, Planet, and Precaution
… consumer brands are already going traceable
‘Kuerig Green Mountain commits to source 100% traceable coffee by 2020’
‘As a responsible food company, we believe our products should contain palm oil that is traceable back to the plantations …. Traceability is critical to achieving this; knowing exactly where the palm oil we buy comes from is the only way to assess practices on the ground and understand if improvements need to be made.’
‘We …are now making changes to further strengthen traceability throughout the entire food value chain.’
‘100 per cent of the raw coffee used in their products should have transparent origins and be traceable right back to the field it was grown in.’
About traceability… ‘2014 has been a defining year for our goal to create a more transparent palm oil industry. Knowing where it comes from is a critical step in the journey.’
Italy
Stephanie Kirchgaessner i n Rome W:dne m y 17 June 20 15 16.30 SST
ooeooo <Sha:;;s . . Comments
3.208 179
0 Save for later
Nutella spat: French minister says sorry over call to stop eating spread
Italy's environment minister said he planned to eat Nutella for dinner after French counterpart urged people to avoid product overdeforestation fears
France's environment minister Segolene Royal hasoffered "a thousand apologies" after urging the p_ublicto stopeating Nutella because it was destroying the environment
Tracing what?
INCREASE SUPPLY CHAIN VISIBILITY
Products compliance
Suppliers assessment
Impacts assessment
Regulatory compliance
Sustainability
Premiums assessment
Risk management
Physical traceability
Chain of custody
approach
Mass / Balance
Approach
Safety
Assurance
Products recall
Supply chain control
Quality
What a good Traceability System should allow
Counterfeit
Technology available
Supply Chain Management
• Many solutions available
• Focus on stock management, control and logistics
• ERP-type systems or feeding such systems
• Often linked to financial and accounting systems
Supplier Procurement Manufacture
Product Inventory Distribution
Retail Consumer
Point of origin
Point of consumption
Technology available
Product Compliance
• Increasingly available solutions
• Focus on compliance, security of supply, quality control
CONTROL
Business intelligence
Product development
Regulation
Sourcing & selection
Product approval
Sale & post sale
assessment
Technology available
Supplier Assessment
• Increasingly
available solutions
• Focus on supply chain mapping, suppliers approval and performance
Technology available
Tracing and Tracking
• Fewer solutions available
• Focus on movement of products, raw material origins and processing, sustainability and assurance
Technology available
Supply Chain Management
Product Compliance
Supplier Assessment
Tracing and Tracking
• Many solutions available
• Focus on stock management, control and logistics
• ERP-type systems or feeding such systems
• Often linked to financial and accounting systems
• Increasingly available solutions
• Focus on compliance, security of supply, quality control
• Increasingly available solutions
• Focus on supply chain mapping, suppliers approval and performance
• Fewer solutions available
• Focus on movement of products, raw material origins and processing, sustainability and assurance
What makes a good system?
A good Traceability System should:
• Inform sourcing decisions and supplier engagement
• Build trust
• Protect commercially sensitive information
• Ensure data security
• Allow selective data sharing
• Synchronise data across devices and platforms
• Improve efficiency
• Inter-operate with other platforms and technology
• Its cost should decrease with time and maturity
• Cope with operations and field/market realities
Traceability could be complex
End-to-end traceability of complex supply chains
The GeoT approach
Providing internal & external traceability with
GIS data
Raw Materials
Producer
Processing / warehouse
Cooperatives / Traders
Export
Geotraceability report showing the contribution of producers to supply
End-to-end traceability
ORIGIN TIER
SUPPLY CHAIN TIER 2
SUPPLY CHAIN TIER 3
SUPPLY CHAIN TIER 4
GeoT’s Collaborative Traceability Platform
GeoT
= Interoperability between systems
CUSTOMER TIER 5
ERP
Traceability Request
GEOT’S WEB SERVICE
A supply chain partner can provide requested traceability data by : • Configuring its Information System (SAP, Oracle, MS Dynamics, Excel, etc.) to automatically receive and answer data requests • Responding to the data request through the user-friendly and secure GeoT Web Service
Product flow
Product flow
Product flow
Product flow
Tips and advice
• Determine clear objectives
• Evaluate the leverage you have on your suppliers
• Define your data framework and traceability requirements
• Prioritise products, suppliers, origins, raw materials
• Adopt a phased approach
• Get a good understanding of what the IT providers are offering
• Identify which technology suits your needs
• Put yourself in the driver’s seat
A new piece of legislation setting out a range of measures on how modern slavery and human trafficking is dealt with in the UK.
The Modern Slavery Act
Share of each country's population that is enslaved. Click to enlarge. Data source: Walk Free Global Slavery Index. (Max Fisher/The Washington Post, October 17, 2013)
What are the requirements?
The Act and accompanying ‘Practical guide’ describes the requirements for businesses. Here is a PwC summary of what you need to know.
Does your business have to comply?
What do you have to do?
Your business has to comply if it meets the two criteria below. These rules apply to public and private companies, and partnerships, wherever they are incorporated or formed and in whatever sector they operate. • Global turnover of over £36m
• Carries out business, or is part of a business, in any part of the United Kingdom
All obligated businesses must publish a ‘slavery and human trafficking statement’ for each financial year. This statement should disclose:
• Either the steps your business has taken during the financial year to ensure that slavery and human trafficking is not taking place in your own operations and in your supply chain; or
• That you have taken no such steps.
• Whilst you will fulfil your regulatory requirement by publishing a statement explaining that your company is taking no steps, this introduces additional reputational risk –we do not expect many companies to take this option.
What are the requirements?
What is the timeline for action? Any business with a financial year ending on or after 31 March 2016 will need to publish a ‘slavery and human trafficking’ statement. The Act states that businesses should publish their statements as soon as reasonably practicable after the end of each financial year for which they are producing the statement.
What should be included in the statement? The Government has stressed that the contents of the statement is not prescribed and that it is up to each company to decide on the content of its statement. However, the Act describes six areas of interest: • Your business’ structure and a summary of its operations and its supply chains; • Any policies relevant to slavery and human trafficking; • Due diligence processes in relation to slavery and human trafficking in your business and supply chains; • The parts of your business and supply chains where there is a risk of slavery and human trafficking taking place,
and the steps you have taken to assess and manage that risk; • The effectiveness of your approaches in ensuring that slavery and human trafficking is not taking place in your
business or supply chains, measured against such performance indicators as you consider appropriate; and
• Training about slavery and human trafficking.
What are the requirements?
Who should approve your statement? The Act states: • If your business is a corporate body other than a limited liability partnership, it must be approved by the board
of directors (or equivalent management body) and signed by a director (or equivalent); • If your business is a limited liability partnership, it must be approved by the members and signed by a
designated member; • If your business is a limited partnership registered under the Limited Partnerships Act 1907, it must be signed by
a general partner; or • If your business is any other kind of partnership, it must be signed by a partner.
Where should you publish the statement? You should publish the statement on your website with a prominent link to it on your homepage.
What happens if you do not comply? Theoretically, the Secretary of State could force you to disclose the statement through an injunction. However, the Government have made it clear that it is hoping that pressure from stakeholders will encourage businesses to
comply without it needing to bring civil proceedings in the High Court.
Modern slavery and forced labour in global supply chain
Recent articles:
• US Steps Up Fight to End Modern Slavery, Voice of America, January 5, 2016
• Modern Slavery in the Travel Industry, fieldfisher, December 16, 2015
• Modern-day slavery is just part of business in Tha il an d’s se afood exp or t cap ital , a major su ppl ie r for U.S. brands, Daily News, December 15, 2015
• Modern Slavery Act 2015: lessons learned from Nestlé, TaylorWessing, December 16,2015
Human trafficking involves the movement of a person, either across international borders or within the boundaries of a single country, by means of threat, deception or abuse of vulnerability for the purpose of exploitation.*
‘Can the worker quit when he/she wants, without penalty?’
Different channels: • Directly by the supplier • By an intermediary used by the
supplier, such as labour broker • By third parties (unknown by the
supplier or the intermediary) *Source: Sedex Global, April, 2014
How to address and manage the risks?
Filipino workers in Taiwan, a breakdown of worker's wages for a two year contract
TWD 17,280/month – c.6$/day
Source: Verité Audit 2009
• Raise awareness internally and externally of the risks of human trafficking;
• Establish corporate policies to address forced labour, human trafficking and the vulnerabilities of migrant workers;
• Map your supply chain to identify the most vulnerable workers and places of greatest risk and to target assessment, prevention & remediation efforts;
• Assess whether current monitoring and remediation activities are adequately protecting the company from broker-induced forced labour;
• Review supply chain practices to determine whether structural conditions (such as prices paid to suppliers) encourage forced labour or debt bondage;
• Build the capabilities of suppliers to identify and address risks of forced labour;
• Hold suppliers accountable to control antitrafficking risks in their operations;
• Engage public policy actors in support of laws, regulations and enforcement that effectively protect workers;
• Participate in industry or multi-stakeholder initiatives to undertake training, awareness raising, communications, and advocacy;
• Invest in local institutions that provide support for trafficking victims. Source: Sedex Global 2014
65
Retail Audit Forum
21st January 2016
66
Agenda
No. Item
1 Post Office Limited
2 Business Transformation Overview
3 Business Transformation Assurance
4 Planning
5 Execution
67
Post Office Limited
• Public Sector owned business • Separated from Royal Mail Group in April 2012 • Currently 11,780 branches across the UK
including 300 Crown branches • Employ almost 8,000 people • 99.7% of UK population within 3 miles of a branch • Modernisation of business to include new and
upgraded products and services: • Post Office Money • Letters and Parcels • Identity and Licenses • Broadband and Mobile • Travel • Business Services • Branch Services
68
Business Transformation Overview
• £2bn HMG injection to transform Post Office into a financially stable business in its own right
• Overall governance and management structure to integrate all elements of portfolio
• Central plan – changes to milestones and benefit realisation timelines approved by central management
• Portfolio of projects and programmes, each with their own risks, issues and dependencies
• High number of partners and vendors adds to complexity
69
Business Transformation Assurance
TESG
TDA TCFG TDG
Programme Steering Groups
GE
1. Risk and control matrix
2. Supporting test papers
3. Initial analysis and findings
1. Recommendations identified and recorded in the observation log
2. Report produced providing a summary of BTA’s findings and opinion
1. Terms of reference covering scope and timings of review
2. Statement of work between POL and Deloitte
3. Report and Recommend 1. Scope and Initiate 2. Assess and Analyse
Governance
Ways of Working
• Independent team within Internal Audit – separate from BAU
• Report directly to Transformation Director and Assurance Sponsor
• Regular updates to Governance bodies
• Accelerated escalation for time sensitive recommendations
70
BTA Resourcing
• We have chosen to co-resource our transformation assurance function with a partner (Deloitte). This is due to the ability of a co-source partner to bring: • A range of specialists to cover the broad and complex nature of
transformation • Flexibility to increase and decrease the size of team in line with the demand
for reviews • Experience from other organisations and transformational activity
• The transformation assurance function contains POL permanent employees
which helps to bring additional organisation and stakeholder knowledge of POL
• Although BTA is a co-source team of both POL and Deloitte, we have focused on building a ‘one team’ approach
• We selected our partner through a competitive tender and internally we allowed the transformation leadership to have input into this (as well as Internal Audit)
71
Assurance Planning
• Flexible but controlled assurance plan, to align with fluid Transformation activity
• We aim to have a minimum impact to delivery through careful review scheduling, focus and approach
• Reviews planned to coincide with key milestones
• Deliberate targeting of critical programmes and pinch points (often identified through comprehensive risks assessments of transformation)
• Governance and change control through a Transformation Risk and Assurance Group (as well as reporting into BAU risk and audit forum)
• Flexibility required to conduct reviews at short notice
• Collaborative planning between all 3 lines of defence
• Regular updates to identify potential risks and issues
• Co-ordination with BAU audit plan required (to avoid gaps / duplication)
Governance
RCC ARC TRAG
BTA
TDG
72
Assurance Execution
• As much as possible we are utilising our BAU methods and templates for transformation assurance reviews. However, we have had to be flexible and tailor our approaches, including: • Earlier and continual escalation and communication of observations i.e. not
just waiting for formal reporting at the end of a review (this is due to time sensitivity of change initiatives)
• Increased stakeholder management required compared to a typical BAU audit as often transformation activity crosses the responsibilities of multiple c-suite members
• From working with our co-source partner we have identified some tools, techniques, ways of working which we have incorporated into our BAU reviews
• Recommendations presented to management and centrally tracked to identify
pervasive risks and issues
73
Summary and Questions
RETAIL AUDIT FORUM Jury’s Inn East Midlands Airport, Castle Donnington
WHAT’S ON THE MINDS OF AUDIT COMMITTEES?
Tim Foster
THE LATEST FRC GUIDANCE
• Changes to the UK Corporate Governance Code issued in September 2014 • Key changes in the areas of:
• Executive directors’ remuneration • Risk management, internal control and going concern • Relations with shareholders
• Changes ‘are designed to strengthen the focus of companies and investors on the longer term and the sustainability of wealth creation.’
• Companies with a premium listing on the London Stock Exchange are required to comply with the Code or explain why they have not.
• Revised Code emphasises the board’s role in establishing the ‘tone from the top’ of a company in terms of its culture and values and the importance of diversity of approach and experience in encouraging dialogue.
• The revisions also reflect Sharman’s recommendations on going concern and liquidity risks.
UK CORPORATE GOVERNANCE CODE
THE LATEST FRC GUIDANCE
In the annual report the directors should:
• Confirm they have carried out a robust assessment of their principal risks, including those that would threaten its business model, future performance, solvency or liquidity (new Provision C.2.1)
• Describe the principal risks and explain how they are being managed or mitigated (new Provision C.2.1)
• Taking account of the company’s current position and principal risks, explain how they have assessed the prospects of the company, over what periods they have done so and why they consider that period to be appropriate (new Provision C.2.2).
• State whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions as necessary (new Provision C.2.2).
RISK MANAGEMENT, INTERNAL CONTROL AND GOING CONCERN
THE LATEST FRC GUIDANCE
The board should also:
• Monitor the company’s risk management and internal control systems on an ongoing basis (revised Provision C.2.1 now Provision C.2.3).
• At least annually, carry out a review of their effectiveness, and report on that review in the annual report (revised Provision C.2.1 now Provision C.2.3).
• Explain in that report what actions have been or are being taken to remedy any ‘significant failings or weaknesses’ identified (Section 6, para 58 of the Guidance).
RISK MANAGEMENT, INTERNAL CONTROL AND GOING CONCERN
THE LATEST FRC GUIDANCE
• FRC has published ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’
• Provides a useful summary of the conclusions of two previous reports ‘Boards and Risk’ and the Sharman Inquiry into going concern and liquidity risk
• Key points (page 2, para 11):
• The board must determine its willingness to take on risk, and the desired culture within the company
• Risk management and internal control should be incorporated within the company’s normal management and governance processes, not treated as a separate compliance exercise
• the board must make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment the board should consider the likelihood and impact of these risks materialising in the short and longer term
RISK MANAGEMENT, INTERNAL CONTROL AND GOING CONCERN
WHAT HAS FORCED THE CHANGE?
• Increased regulation
• Stricter regulation to ensure that companies are genuinely accountable and transparent
• Investors are demanding that boards and leadership teams demonstrate more risk awareness
• Executive pay has come under scrutiny from the government and the public
• Quickening pace of globalisation
• Trading and communications now operate continuously forcing firms to react quickly to market changes
• Evolution of technology creates new areas of opportunity as well as new areas of risk
• It is the role of the Board to navigate firms through these changes
• As the nature and complexity of the issues shift, it is inevitable that the role of the NED will have to change too
• Growing consensus that boards need more current serving executives to bring much needed “day job” to the boardroom
WHAT HAS FORCED THE CHANGE?
• Financial crisis
• Government and regulatory bodies seeking to exert greater control over their composition and working practices:
• The Bribery Act
• Walker Review
• EU Green Paper
• The Davies Report
THE ROLE OF NEDS IN RISK MANAGEMENT
The Board should:
• Decide the culture it wishes to establish
• Agree the risk management strategy and policy
• Agree the risk appetite
• Ensure there is regular and adequate discussion at the board
• Monitor the quality and timeliness of information received
• Agree the use of delegation
• Consider what assurance is required and, if there are any gaps, determine how this should be addressed.
• Ensure it has the skills and competencies to challenge management on their identification, assessment and management of key risks and to ask relevant questions on the system of internal control.
WHAT DOES GOOD LOOK (AND FEEL?) LIKE?
• Tone as stated at the top is reflected in feedback from staff, clients/customers
• Risk strategy, policy and appetite clearly stated and promulgated through the business
• Accountabilities and responsibilities are clear (not just at Board and senior management level but throughout the organisation)
• The Board reviews its own effectiveness as a group and individually
• Robust discussion on key risks as part of regular board meetings
• Clear role and remit for the Audit Committee around risk management and internal control processes (including internal audit if appropriate)
• Risk reports focus on a mix of ‘horizon scanning, scenario planning/resilience testing and changes to risk profile’. The Board has an opportunity to discuss ‘what if’ scenarios
• Risk reporting is timely, not 3 months after the event (and not the item on the agenda before AOB!)
• Staff have been trained in risk management and internal control
• 3 lines of defence visible and being reported on
• Use of assurance frameworks
A FEW HEADLINES FROM BDO NED SURVEY
• Risk management is high on the board’s agenda
• Risk identification is a key area of focus
• Risk appetite is proving difficult for over 50% of those surveyed
• Some concerns about ongoing evaluation of strategy and poorly communicated risk plans
• Top risks NEDs are concerned about include:
• Regulatory changes/regulatory requirements
• Credit/market/liquidity risk
• Geopolitical risk
• Disruptive technology
• Information security
AUDIT COMMITTEE OBLIGATIONS
• The role of the Audit Committee is one of oversight of the integrity of a company's financial affairs in both the interests of shareholders and on behalf of the Board. This includes everything from the effectiveness of a company's internal control environment to the fair presentation of information in the financial statements.
• For listed companies, there is a requirement for an Audit Committee to report to shareholders in the annual report and for unlisted companies, an Audit Committee can ensure best practice is adhered to.
• The Audit Committee of the board of directors is responsible for oversight of the financial reporting process, selection of the independent auditor, and the receipt of audit results both internal and external.
• In many companies the Audit Committee also deals with risk areas and acts as a governance committee, where increasingly issues are delegated by the Board to subcommittees.
THE NEED FOR VALUE ADDING INTERNAL AUDIT
• Increased emphasis on corporate responsibility and accountability - internal audit has a higher profile role in all sectors as credible business partners to evaluate how well risks are being managed.
• Organisations face renewed corporate governance concerns, as well as intense internal and external scrutiny.
• Many are struggling to keep pace with the changing regulatory environment and to distinguish, let alone deal with, the complex risks they face. It is clear that Boards are now far more aware of the importance of understanding risk.
• Internal audit is increasingly playing a key role in helping organisations to identify and put in place systems to manage their key risks, and to help ensure business systems and processes are fit for purpose to protect the business and, as importantly, to add value.
• A reactive approach to Internal Audit is no longer acceptable - there can be no surprises when it comes to dealing with the risks and opportunities in your business.
THE NEED FOR VALUE ADDING INTERNAL AUDIT
• Because Internal Audit looks beyond financial risks and statements to the wider issues that help businesses to mitigate the risks to which they are exposed - this means the strategic value of Internal Audit is greater than it has ever been.
• The expectations placed upon Internal Audit have increased, with the function being relied upon to make significant contributions to the business.
• Need to understand the value sought from internal audit by stakeholders, i.e. the Audit Committee, Senior Management etc., where they require assurance and potential issues that need to be considered in terms of the future assurance needs for the business.
HOT TOPICS FOR AUDIT COMMITTEES
• Strategic Planning and Oversight
• Corporate Performance and Valuation
• Managing risk
• Emerging technologies
• Cyber Security
• Data Analytics
• Ethics and integrity
• Sources of assurance
STRATEGIC PLANNING AND OVERSIGHT
• Assessing strategic priorities
• Clear view on strategic an emerging risks facing sector/business
• Reassessing the role and remit of the audit committee
• Reprioritisng the scope of assurance providers, including internal audit
CORPORATE PERFORMANCE AND VALUATION
• FRC: “reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due”
• Financial Viability Statement review
• Challenge assumptions
• Need a framework to ensure you have sufficient liquidity, that forecasts are realistic and sensible, that risks are understood and any new activities are thoroughly considered and evaluated
• Stress testing – robust testing against identified risks and combinations of risks – mitigating actions
• Quality of data becoming an emerging topic
MANAGING RISK
• Focus on the top risks
• Challenge management on the adequacy of its risk management processes
• Question management’s assessment of the company’s risk appetite
• Consider whether strategic goals and objectives should change
• How are third-party risks managed and monitored?
• Who has access to our data?
EMERGING TECHNOLOGIES
• Drive revenue and growth
• Present new risks and challenges
• Better use of data
DIGITAL JOURNEY
WEB
MOBILE
SOCIAL MEDIA
SOCIAL APIS
AUGMENTATION
DATA JOURNEY
DATA
MI
BI
DATA AGGREGATORS
INSIGHTS ON DEMAND
TECHNOLOGY BUSINESS JOURNEY
MULTIPLE SOLUTIONS
CONSOLIDATE / INTEGRATE
WEB / MOBILE
CLOUD REVOLUTION
SOCIAL / DIGITAL / DATA STRATEGIES AND ROLES
CYBER SECURITY
• Cyber security assessment
• Structure of governance around cyber security and how it fits into the company’s overall ERM program
• Greatest risks to the company’s highest value assets –and how human capital and financial capital are aligned around them
• Cyber security “scorecard” –addressing key risks areas, incidents, trending, and what’s happening in the environment
• Cyber-incident response plan – defining the processes and steps for managing a cyber incident
• All data is not equal –understand the value of the company’s various data sets, and whether appropriate resources are devoted to securing the most critical assets
• Recognize that most IT risk is people risk. How are we monitoring people risks?
• Request regular cyber incident reports to monitor cyber attacks and trends
• Understand the company’s cyber-incident response plan
• Conduct robust IT risk assessments periodically – and consider the need for an independent risk assessment
DATA ANALYTICS
• Rapid rise of mobile smart devices, social media, remote sensors and cloud computing has opened up new opportunities for the analysis of the large quantities of data
• use of data analytics allows organisations to extract and ‘clean’ data from multiple operating and legacy systems to deliver real insights to stakeholders, as well as delivering further benefits by underpinning data quality improvements
• The benefits and value of using data analytics include:
• More robust audits – e.g. 100% sample sizes and ability to drill down to finite levels of detail
• Efficiency - audit multiple locations from your desk - total coverage for each audit area
• Added value - provide meaningful and useful management information to auditees through data profiling and trend analysis
• There is an assumption as to the right to audit
• Audit dashboards allow a live feed of organisational data from each of the streams audited to be fed into a central location - alerts to flag anomalies
DATA ANALYTICS
Value of Data Analytics
More robust audits
• One hundred per cent sample sizes
• Ability to drill down to finite levels of detail
• Opportunity to audit more risks/scenarios
• Meaningful reports that tell the whole story
Efficiency
• Ability to audit multiple locations from your desk
• Repeatability leading to audit efficiencies and wider audit coverage in subsequent years
• Total coverage for each audit area
Added Audit Value
• Ability to provide meaningful and useful management information to auditees through data profiling and trend analysis
DATA ANALYTICS
Design Testing Extract Analyse Exception
Reporting Investigate
DATA ANALYTICS: METHODOLOGY
ETHICS AND INTEGRITY
• Ethics and integrity are fundamental to an effective governance framework and the foundation for developing a culture that supports employee, customer and investor confidence.
• Ever growing set of rules and regulations
• Equality
• Diversity
• Modern Slavery Act 2015
• If ethics and integrity weaknesses can lead to fraudulent financial reporting, reputational damage and business failure is more likely to occur.
• Audit committees for assurance about ethical behaviour might ask:
• What is the company culture?
• How compliant are we?
• What red flags do we need to watch out for?
SOURCES OF ASSURANCE
• Limitations in assurance scope
• Internal audit resourcing challenges
• Peer auditors
• Guest/seconded auditors
• Deployment of risk skills on key engagements
• Integrated assurance
• Continuous/real time auditing/monitoring
• Use of data analytics
• Auditing at the pace of change
• Maximising value
• Relationship with key stakeholders
• A clear view on strategic an emerging risks facing sector/business
• Process mining
• Innovative audit reporting
INTERNAL AUDIT MARKET
COMPLIANCE
EFFECTIVENESS
EFFICIENCY
ADEQUACY
PERFORMANCE
Maturity of controls
environment and risk
management processes
Skills and expertise
required from the internal audit team
VALUE PRESERVATION
(core assurance) VALUE CREATION
OPE
RATI
ON
AL
(pol
icie
s, p
roce
dure
s,co
ntro
ls)
STRA
TEG
IC
(em
ergi
ng r
isks
, pr
iori
ties
)
INTERNAL AUDIT MARKET
• An extraordinary amount of change affecting the audit market at present - increased emphasis on corporate responsibility and accountability
• Renewed corporate governance concerns, as well as intense internal and external scrutiny - struggling to keep pace with the changing regulatory environment and the complex risks they face
• Reviewing and assessing areas such as board information and the corporate risk and compliance culture, requires far greater judgement, sensitivity, and qualitative assessment than traditional internal audit work
• The strategic value of IA is greater than it has ever been - expectations placed upon IA have increased with the function being relied upon to make significant contributions to the business (moving from value preservation to value creation), not only in terms of assurance, but in terms of the value that it provides.