Governance, Risk

Management and
Compliance (GRC)
Peter Hofmann

November 2022
Course overview & objectives
• Provide an understanding of the concepts, guiding principles and elements of
integrated GRC frameworks
• Review the link between GRC and business strategy, performance and business
sustainability
• Understand the key principles and elements of sound corporate governance
frameworks
• Review key concepts applicable to risk management frameworks
• Linking compliance structures to support governance, risk management and
value creation
 US$74bn US$50bn
the total value lost by shareholders the amount hidden via loans disguised
in the 2001 Enron accounting as sales by Lehman Brothers in 2008
scandal

9.2 75%
the average number of company the increase in the number of publicly
directors serving on company traded companies reporting on ESG
boards in the United States (Bloomberg database 2008 – 2011)

Source: How Business Works, DK, 2015

GRC history
GRC 5.0
incorporates the
GRC 4.0 focused role and impact of
on highly cognitive and
GRC 3.0 provided configurable artificial
for aligning strategy, technology into a intelligence
process, GRC architecture technologies on
With GRC 1.0 there information, and to provide highly GRC. Areas
was a focus on a GRC 2.0 took a technology into a visual and including machine
few risk areas broader view GRC architecture to interactive GRC learning, natural
involving selective bringing more deliver a holistic interfaces that are language
silos and functions into understanding of highly intuitive and processing and
transactions, perspective while risk in the context of engaging and predictive
particularly for focusing on an strategy and contextually analytics are
GRC efforts internal control integrated objectives amidst relevant and easy taking Agile GRC
scattered over financial perspective of risk organisational to navigate for the technologies to
and reactive reporting and compliance velocity and change role using them the next level

to 2002 2002-2007 2007-2012 2012-2017 2017-2020 2021+

GRC 1.0 GRC 2.0 GRC 3.0 GRC 4.0 GRC 5.0
SOX Captivity Enterprise GRC GRC Architecture Agile GRC Cognitive GRC
What is GRC?
GRC is a management model that promotes the criteria unification, as well as
communication and collaboration between different stakeholders in the
management and control of the organisation

Governance
Risk management – determines
• Strategy the areas exposed to potential
•
•
Goals and objectives
Policies and procedures
risks
• Structures and processes
Governance – manages the risks
to the execution of the strategy
as well as the risks from the
Risk Management
• Identify risks
Compliance
• Comply with policy and
chosen strategy
• Risk analysis procedures
• Risk profiles • Laws and regulations Compliance – is the tactical
• Risk monitoring • Controls action to mitigate risk
• Achievement of objectives • Activities
Source: Deloitte – May 2013
Abilities to be Competitive
Do we think “out of the
box” about what could
be, rather than about
what is, or what is POSSIBILITY Are we alert to what’s
happening around
impossible? THINKING us, and do we learn
and change fast
enough?

Do we understand
our challenges, and LEARNING &
do we have a clear
view about what we CHANGE
must do?

STAKEHOLDER IMPLEMENTATION
STRATEGY
SUPPORT CAPABILITY

Do we have what it
Do we actively seek takes to meet our
to win “votes” ambitions, and will
through strategic our practices deliver
conversation? the results we want?

Have we designed our

BUSINESS MODEL organisation to meet
DESIGN our objectives?
GRC Technologies
Strategy & Third Party Integrated AML, KYC, Audit
Perfor- GRC GRC Automated
Risk Fraud & Manage-
mance Manage- Platforms Continuous
Manage- Corruption ment &
Manage- ment Control
ment & Analytics
ment Manage-
Analytics
ment
Reputation Business
& Respon- Continuity
sibility Manage-
Manage- ment
ment

Compliance
Quality
Manage-
ment
GRC & Ethics
Manage-
ment

Policy & Environ-

Training mental
Manage- Manage-
ment ment
Physical Finance
Security Health & GRC
Manage- Legal Safety Manage-
Manage- IT GRC Internal HR GRC
ment Manage- ment
ment Manage- Control Manage-
ment Manage- ment ment
ment
GRC
Why are organisations seeking a better approach to GRC:
• Uncertainty due to economic instability
• Concern about the risk environment – greater focus on effectiveness and
adequacy of internal controls
• Rise in complexity and regulation
• Business performance
• Sustainability
• Stakeholder demands
• Integrated approach supports decision making
Source: Institute of Chartered Accountants in Australia / KPMG – 2012
Key questions
• Do we have separate departments managing risk, compliance and assurance
without an overarching framework?
• Is the quality and quantity of risk and compliance information provided to the
board and audit/risk committees appropriate to provide relevant insight at the
right time?
• Do we need to piece together multiple pieces of information from risk,
compliance and assurance departments/providers to obtain an overall view of
our organisation’s risk profile?
• Is the information we receive on our risk and control environment sufficiently
transparent for informed decision making?

Source: Institute of Chartered Accountants in Australia / KPMG – 2012

GRC
Convergence of GRC is evolving:
• Response to market uncertainty and complexity
• Not about a technology tool
• Different way of thinking
• Drive maximum value from complementary activities
• Information to drive performance and achieve compliance
• Audit/ risk committees play pivotal role:
– Key sponsors
– Alignment to strategy
– Integrated framework supports GRC requirements
Source: Institute of Chartered Accountants in Australia / KPMG – 2012
Key questions
• Is the audit/risk committees’ role and depth of involvement in the oversight of
our GRC framework understood?
• Do we have separate risk and audit committees? If so, how do they connect and
work together?
• Do we know the total cost of activities related to our organisation’s GRC efforts?

Source: Institute of Chartered Accountants in Australia / KPMG – 2012

Integrating GRC
• Strategic approach
• Improved alignment of GRC components
• Link GRC components to strategy
• Risk component critical
• Common language, methodology and approach to risk identification and
assessment
• Risk appetite – helps focus GRC efforts and concentrate compliance and
assurance activities

Source: Institute of Chartered Accountants in Australia / KPMG – 2012

Key questions
• Do we have the key risks for our organisation identified and assessed?
• Have we articulated our risk appetite? Do we understand which key risks are not being sufficiently
mitigated?
• Are we focusing efforts on the most critical risks?
• Do we have sufficient clarity on the true risk and compliance culture within the organisation?
• Do we have clear roles and responsibilities and reporting lines for all assurance and compliance
providers (e.g. internal audit, external audit, OH&S and compliance)?
• Do we have a consistent reporting framework across our assurance and compliance activities,
including rating of issues identified and tracking of issue resolution?
• Do we receive regular reporting from all assurance functions to management and the board?
• Do we receive an integrated assurance map which provides transparency over the risks and areas
of the organisation covered by assurance activities, and any gaps and duplication of effort?

Source: Institute of Chartered Accountants in Australia / KPMG – 2012

The value of GRC
Governance
Promote the effort
coordination and Using
integrated
collaboration Performance information
between different management for decision-
people involved in making
the direction of the
organisation Risk Compliance
management management
The benefits of GRC
Higher quality information

Process optimisation

Better capital allocation

Improved effectiveness

Protected reputation

Reduced costs
Implementing GRC
Implementing a strategic approach to GRC:
• Consider the big picture first
• Form a cross-functional team / committee
• Define roles and responsibilities early in the process
• Beware of building another silo
• Get the process worked out before investing in the technology
• Seek out overlaps and build efficiencies
• Create a common language and understanding around risk
• Don’t lose the detail in the convergence process
• Remember that GRC is a gradual process
Source: Institute of Chartered Accountants in Australia / KPMG – 2012
GRC Stakeholders

Source: Deloitte – May 2013

Stakeholder engagement
Identifying key stakeholders – two dimensions:
Stakeholder is
Organisation impact on
Stakeholder influence on organisation
No influence Low influence Some influence Formal power /
high influence
Stakeholder’s support for the organisation Stakeholder’s support for the
has little or no impact on its success organisation can highly impact on its
success
Treat fairly – honour commitments to these

highly stakeholders in line with policy, regulations Strategic threat or opportunity – invest
dependant on and industry norms. Otherwise endeavour in engagement process to understand
organisation – to keep stakeholders satisfied insofar as concerns and develop solutions
stakeholder

no choice balance of costs and benefits allow

No direct
Keep involved and informed, but
impact –
ensure balance between concerns of
stakeholders Low priority – provide access to general
high influence stakeholders and those
have broad channels of information and feedback
people actually impacted by
range of
decisions
choice

Source: Deloitte, Stakeholder Engagement – 2014

Stakeholder engagement
Key components of a stakeholder engagement policy:
• Define the scope of the policy
• Define the ownership and decision-making process
• Define the governance process
• Identify key stakeholders and stakeholder groups
• Develop engagement plan
• Facilitate the stakeholder engagement process
• Identify the legitimate concerns and interests of key stakeholders
• Design a process for dealing with conflicts between stakeholder concerns
• Define a mechanism to feed stakeholder concerns into strategic planning to ensure
alignment
• Provide feedback to stakeholder groups
• Generate reports Source: Deloitte, Stakeholder Engagement – 2014
Risk and GRC
• Organisations need to take risks to create value
• Value is a function of risk and return
• Take risk to create value and manage risk to protect value
• Manage risk exposures to incur just enough of the “right” risks to pursue strategic
goals – optimal risk-taking zone / “sweet spot”

Source: COSO – October 2012; Deloitte – August 2015

Risk and GRC
A GRC approach focuses on maintaining the right balance between risk and return. An effective risk
management program focuses simultaneously on value protection and value creation. Deloitte refer to
an organisation that has attained an advanced state of risk management capability as a “Risk Intelligent
Enterprise™”
Deloitte’s Principles for building
a Risk Intelligent Enterprise
Risk Intelligent Enterprise™

Common definition of risk

Common risk framework Risk Board of
Governance Oversight Directors
Roles and responsibilities
Tone at the top
Transparency for governing bodies

Common risk infrastructure

Common risk
Risk Infrastructure Executive
Executive management responsibility infrastructure
and Management Management
People Process Technology
Objective assurance and monitoring

Risk Process
Business unit responsibility Risk Identify
Assess & Integrate Respond
Design, Monitor,
Business Units and
evaluate risks implement & assure &
risks to risks
Ownership risks test controls escalate Supporting
Support of pervasive functions Risk Classes
Strategy & Operations / Functions
Governance Planning Infrastructure Compliance Reporting

Source: Deloitte – 2014

Principles for building a Risk Intelligent Enterprise

#1 – A common definition of risk,
which addresses both value
preservation and value creation, is
used consistently throughout the
organisation
Risk Governance
#2 – A common risk framework
supported by appropriate standards
is used throughout the organisation
to manage risks
#3 – Key roles, responsibilities and
authority relating to risk management
are clearly defined within the
organisation

#5 – Governing bodies have appropriate transparency and visibility into the organisation’s risk management practices to
discharge their responsibilities

Risk Infrastructure and Oversight

#6 – Executive management is
assigned with primary responsibility
for designing, implementing and
maintaining an effective risk
programme
#4 – A common risk management
infrastructure is used to support the
business units and functions in the
performance of their risk
responsibilities
#9 – Certain functions provide
objective assurance as well as
monitor and report on the
effectiveness of an organisation’s risk
programme to governing bodies and
executive management

Risk Ownership
#7 – Business units are responsible for the performance of
#8 – Certain functions have a widespread impact on the
their business and the management of risks they take
business and provide support to the business units as it
within the risk framework established by executive
relates to the organisation’s risk programme
management

Source: Deloitte – 2009

HO
Risk Intelligence Maturity Model
Stakeholder value LEVEL 1 LEVEL 2 LEVEL 3
Risk intelligent
Integrated
Fragmented Top down
Initial Stages of risk maturity

Representative attributes
• Ad hoc / chaotic • Independent risk-
• Depends primarily on management activities
individual heroics, • Risk is managed in silos
capabilities and verbal • Limited focus on
wisdom linkages between risks
• Limited alignment of
risk to strategies
• Disparate monitoring
and reporting functions
• Identified risk universe
• Common risk
framework and policy
• Routine risk
assessments
• Communication of top
strategic risks to the
board / executive
• Action plans
implemented in
response to high-
priority risks
• Knowledge sharing
across risk functions
• Formal risk consulting
• Dedicated team
• Coordinated risk • Risk discussion is
management activities embedded in strategic
across silos planning, capital
• Risk appetite is fully allocation and product
defined development.
• Enterprise-wide risk • Early warning system
monitoring, measuring (KRIs) to notify board
and reporting and management to
• Technology risks above established
implementation thresholds
• Contingency plans and • Linkage to performance
escalation procedures measures and
• Risk management incentives
training • Risk modelling /
• Clear input into Internal scenarios
Audit and other • Industry
assurance activity plans benchmarking used
regularly
Source: Deloitte – May 2013; August 2015
GRC framework
Governance, Risk and Compliance

Corporate Governance
Risk Management Compliance Management
Management

Regulatory and
Corporate Strategic and Entity Internal Control SoD Matrix
Legislation Compliance
Governance Model Level Risk Matrix Development Development and
Development and
Evaluation Assessment and Maintenance Maintenance Maintenance

Alignment of Regulatory and

Corporate
Strategic and Entity Internal Control Legislative
Governance Model SoD Analysis
Level Risks with Evaluation Compliance
Remediation
Operational Controls Observance

Corporate Regulatory and

Governance Development of Risk Internal Control SoD Access Legislative
Performance Mitigation Monitoring Monitoring Compliance
Monitoring Monitoring

Risk Monitoring

Source: Deloitte – May 2013

GRC and the link to
the Organisational
Strategy
Strategic Link
Vision Mission

Organisational strategy
Governance

Functional strategies
Performance

Ops HR IT Mkt
management

Risk Compliance
management management

People
Process
Technology / systems
Organisational strategy
Characteristics associated with strategy:
• Concerned with the scope of activities
• Matching activities to the operating environment
• Matching activities to resource capabilities
• Major resource implications
• Likely to affect operational decisions
• Influenced by stakeholder values and expectations
• Affect long-term organisational direction
Developing strategy
Culture and
stakeholder

Elements of The
environment
expectations
Resources
and

strategic strategic
capability

management
Strategic
analysis

Identifying Planning
strategic Strategic Strategy and
options choice implementa- allocating
tion resources

Evaluating Organisation
options structure and
design
Selecting Managing
strategy strategic
change
Macro environment
• Each business is subject to different macro environment influences
• Influences can affect the GRC framework
– Political – legislative
– Economic – interest rates, exchange rates, taxes, surcharges
– Social – community influence: environmental
– Technological – progress
– Labour – strikes and labour action
Pest analysis
• Helpful in obtaining information that can be used in other strategic
analysis models
• Identify key environmental influences
• Identify long-term drivers of change
• Examining the differential impact of external influences – historic and/or
future impacts
Pest analysis
1. What environmental factors are affecting the organisation?

2. Which of these are the most important at the present time? In the next few years?
Political / legal Economic
• Monopolies legislation • Business cycles
• Environmental protection laws • GNP trends
• Taxation policy • Money supply
• Foreign trade regulations • Inflation
• Employment law • Unemployment
• Government stability • Disposable income
• Energy availability and cost
Socio-cultural Technological
• Population demographics • Government spending on research
• Income distribution • Government and industry focus of
• Social mobility technological effort
• Lifestyle changes • New discoveries / development
• Attitudes to work and leisure • Speed of technology transfer
• Consumerism • Rates of obsolescence
• Levels of education
Economic environment – business cycle

Total Spending
Peak

Leading Contraction Lagging

Recovery

Recession
Product life cycle
Introduction Growth Maturity Decline
• Slow sales • Rapid • Slow down • Sales reflect
growth market in sales a
• Create acceptance growth downward
product • Profit • Defending shift
awareness improvemen market • Profits
Sales

• Trial t share – erode

amongst • Maximize stress • Reduce
early market share brand expenditur
adopters • Build differences e to retain
and dealers awareness and hard-core
and interest benefits loyals and
in market milk the
brand
Time
Five forces
Potential
entrants
Threat of
entrants

Suppliers COMPETITIVE Buyers

Bargaining power
RIVALRY Bargaining power

Threat of
substitutes

Substitutes

HO
Boston growth matrix
High

Star Problem Child

10%

Cash Cow Dog

Low

High 10% Low

Market Share
The value chain
• An analytical tool of strategic cost accounting
• Shows the linked set of activities and functions an organisation performs
internally
• Each activity incurs costs and ties up assets
• Differs from organisation to organisation
• Reflects the evolution of the business and its internal operations … its
strategy
• Identify opportunities to add value within the chain
• Identify appropriate governance structures and performance, risk and
compliance management requirements to support decision making
Example – value chain
Motor vehicle manufacturer – niche products to client order
Purchased
Supplies and Distri-
Primary Activities Profit
Marketing Inbound Operations Quality Service
and Costs bution Margin
Logistics

Support Activities
and Costs Support functions ……...... SHE ……..…. GRC ……
Focus on client orders, purchases to manufacture client-specific vehicles, product quality and customer service

Motor vehicle manufacturer – standard products on a market-push basis

Purchased Distribution
Primary Activities Supplies and and Profit
Operations Sales Service
and Costs Inbound outbound Margin
Logistics logistics

Support Activities
and Costs Support functions ……...... SHEQ ……..…. GRC ……
Focus on cost efficiencies (influences competitive positioning), operational efficiencies and “pushing”
manufactured vehicles into the markets
Performance
Management
Balanced Scorecard
• Developed by Robert Kaplan and David Norton
• Harvard Business School
• Management beyond financial measures
• System to set, track and achieve strategies
• Four perspectives (adaptable)
– Customer
– Financial
– Internal business process
– Knowledge, education and growth
• Key measurements (KPIs)
• Performance scorecards and dashboards
Scorecard perspectives
Financial
Financial
perspective

Customer Process
perspective perspective

Learning and
growth
perspective
Non-financial
Scorecard perspectives
External
Financial
perspective

Customer Process
perspective perspective

Learning and
growth
perspective Internal
Scorecard perspectives
Lagging
Outcome
Financial
perspective
Result

Customer Process
perspective perspective

Learning and
growth
perspective Leading
Input Driver
Scorecard linkages
Financial Business process and
product quality
Improvement in employee
perspective improvements drive cost
engagement drives reductions that result in
improved productivity that Profitability improved profitability
results in cost decreases Revenue Costs
and improved profitability

Customer Improvement in CSI drives

Process
perspective increased sales that results perspective
in revenue increases and
Improvement in product
KPI = CSI improved profitability
quality drives increased
Quality processes
Influenced by: customer satisfaction and number of
Engagement defective products
as a % of total
Price Learning and
Quality products
growth
perspective Skills development and
employee engagement
Quality training initiatives drive business
Innovation training process and product
quality improvements
Employee
suggestion scheme
Scorecard example
Governance
Corporate governance is only part of the larger economic context in which firms
operate that includes, for example, macroeconomic policies and the degree of
competition in product and factor markets. The corporate governance framework
also depends on the legal, regulatory, and institutional environment. In addition,
factors such as business ethics and corporate awareness of the environmental
and societal interests of the communities in which a company operates can also
have an impact on its reputation and its long-term success.

To remain competitive in a changing world, corporations must innovate and

adapt their corporate governance practices so that they can meet new demands
and grasp new opportunities.

Source: OECD, Principles of Corporate Governance – 2004

What is Corporate Governance?
Corporate governance codes do not often explicitly define what corporate governance is. Most
codes of best practice deal with corporate governance as a concept and explain its importance
without defining its meaning. Yet the way corporate governance is defined may affect the scope
and content of a code.
Perhaps the most famous definition of corporate governance was provided in 1992 by Sir Adrian
Cadbury in the Report on Financial Aspects of Corporate Governance in the United Kingdom:
“Corporate governance is the system by which companies are directed and controlled.” Here
corporate governance is defined as a set of mechanisms through which firms operate when
ownership is separated from management.
One size does not fit all, and other definitions of corporate governance may be used. But whether
a broad or a narrow definition of corporate governance is chosen, it is important that the
fundamental values of transparency, accountability, fairness, and responsibility be respected in
order for firms to build and sustain the confidence of investors, stakeholders, and society as a
whole. Source: Global Corporate Governance Forum – 2005
Corporate Governance defined
“Corporate governance refers to that blend of law, regulation and
appropriate voluntary private sector practices which enables the
corporation to attract financial and human capital, perform
efficiently and thereby perpetuate itself by generating long term
economic value for its shareholders, while respecting the interests
of stakeholders and society as a whole.”
Ira M. Milstein, 2003

Source: Global Corporate Governance Forum – 2005

Governance
• UK – Cadbury Report 1992
– Polly Peck International: misstatement
– BCCI (Bank of Credit and Commerce International): bankruptcy
– Maxwell Communication Corp: pension fund
• UK – Greenbury Report 1996 – director remuneration
• UK – Hampel Report 1998 – review
• UK – Turnbull Report 1999 – internal control guidance for directors
• UK – Smith Report 2003 – audit committees
• UK – Higgs Report 2003 – non-executive directors
• UK – Walker Review 2009 – financial industry
• USA – Sarbanes-Oxley Act 2002
Governance
How responsible
business and
sustainable profits are
embedded into the
function of the board
Board responsibilities

PROTECTING
STAKEHOLDER
RIGHTS AND
INTERESTS

CREATING
MANAGING
BUSINESS
RISK
VALUE

Source: International Finance Corporation

Drivers of improved governance
• Growth imperative
• Organisational size and complexity
• Regulatory change
• Privatisation
• Globalisation in markets
• Mobilisation of capital

Drive improved governance implementation by management and governance

oversight by the board through a governance operating model
Governance structure
Shareholders Auditors

Elect Engages

Board of
Regulators
Open dialogue Directors

Governance Human Resources

Risk Committee Audit Committee
Committee Committee

Compliance
Appoints Risk Management Finance
Internal Audit Services

Senior Independent Control Functions

(Risk Management, Compliance, Finance,
Management Internal Audit Services)
Governance framework
Board plays an
active role in
developing the
components and
participating in
the activities

Board monitors
results of
business activities
and issues
identified in the
process
Source: Deloitte – 2013
Governance operating model
A governance operating model is the
mechanism used by the board and
management to translate the elements
of the governance framework and
policies into practices, procedures, and
job responsibilities within the corporate
governance infrastructure.

A robust enterprise governance

operating model helps enable the
execution of governance responsibilities
at all levels.

Source: Deloitte – 2013

 Governance elements
• Governing body leadership responsibilities
– Strategy
– Policy
– Oversight
– Disclosure
• Key principles
• Governance outcomes

The King Report on corporate governance which can be used as a reference when compiling corporate governance codes and frameworks can be accessed at
http://c.ymcdn.com/sites/www.iodsa.co.za/resource/resmgr/king_iv/King_IV_Report/IoDSA_King_IV_Report_-_WebVe.pdf

HO
 Governance frameworks
• UN Global Compact – 10 fundamental principles covering human rights,
labour standards, environment and anti-corruption
• G20/OECD Principles of Corporate Governance – six fundamental
principles
• UN Principles for Responsible Investment (PRI) – six fundamental principles
• Global Reporting Initiative (GRI) – sustainability reporting standards
• IIRC <IR> Framework

The Global Reporting Initiative's GRI Standards can be accessed using the following link https://www.globalreporting.org/standards/gri-standards-download-center/
The webpage for the International Integrated Reporting Committee (IIRC) is http://integratedreporting.org/ with the <IR> framework itself being available at
http://integratedreporting.org/resource/international-ir-framework
UN Global Compact
Human Rights
• Principle 1: Businesses should support and respect the protection of
internationally proclaimed human rights; and
• Principle 2: make sure that they are not complicit in human rights abuses
UN Global Compact
Labour Standards
• Principle 3: Businesses should uphold the freedom of association and the
effective recognition of the right to collective bargaining;
• Principle 4: the elimination of all forms of forced and compulsory labour;
• Principle 5: the effective abolition of child labour; and
• Principle 6: the elimination of discrimination in respect of employment and
occupation
UN Global Compact
Environment
• Principle 7: Businesses should support a precautionary approach to
environmental challenges;
• Principle 8: undertake initiatives to promote greater environmental
responsibility; and
• Principle 9: encourage the development and diffusion of environmentally
friendly technologies

Anti-corruption
• Principle 10: Businesses should work against all forms of corruption,
including extortion and bribery
G20/OECD Principles of Corporate Governance
• Endorsed in 1999
• Reviewed in 2004 and 2015
• International benchmark
• Offers non-binding standards and good practices
• Apply to OECD and non-OECD countries
• Focus on governance problems arising from the separation of ownership
and control
• To be applied in conjunction with other “checks and balances”
G20/OECD Principles of Corporate Governance

Ensuring the basis for an effective corporate governance framework

Principle I
The corporate governance framework should promote transparent and fair
markets, and the efficient allocation of resources. It should be consistent with
the rule of law and support effective supervision and enforcement.
G20/OECD Principles of Corporate Governance

The rights and equitable treatment of shareholders and key ownership functions

Principle II
The corporate governance framework should protect and facilitate the
exercise of shareholders’ rights and ensure the equitable treatment of all
shareholders, including minority and foreign shareholders. All shareholders
should have the opportunity to obtain effective redress for violation of their
rights.
G20/OECD Principles of Corporate Governance

Institutional investors, stock markets and other intermediaries

Principle III
The corporate governance framework should provide sound incentives
throughout the investment chain and provide for stock markets to function in
a way that contributes to good corporate governance.
G20/OECD Principles of Corporate Governance

The role of stakeholders in corporate governance

Principle IV
The corporate governance framework should recognise the rights of
stakeholders established by law or through mutual agreements and
encourage active co-operation between corporations and stakeholders in
creating wealth, jobs, and the sustainability of financially sound enterprises.
G20/OECD Principles of Corporate Governance

Disclosure and transparency

Principle V
The corporate governance framework should ensure that timely and
accurate disclosure is made on all material matters regarding the
corporation, including the financial situation, performance, ownership, and
governance of the company.
G20/OECD Principles of Corporate Governance

The responsibilities of the board

Principle VI
The corporate governance framework should ensure the strategic guidance
of the company, the effective monitoring of management by the board, and
the board’s accountability to the company and the shareholders.
UN Principles for Responsible Investment
• Launched in April 2006 at the NYSE
• Set of best practices for responsible investment
• Supported by the UN
• Illuminates the financial relevance of ESG issues and provides a framework to
support stable and sustainable financial systems
• Incorporating ESG factors to:
– Enhance financial returns
– Reduce risk
– Meet stakeholder expectations
UN Principles for Responsible Investment
Principle 1: We will incorporate ESG issues into investment analysis and
decision-making processes.
Possible actions:
• Address ESG issues in investment policy statements.
• Support development of ESG-related tools, metrics, and analyses.
• Assess the capabilities of internal investment managers to incorporate ESG issues.
• Assess the capabilities of external investment managers to incorporate ESG issues.
• Ask investment service providers (such as financial analysts, consultants, brokers, research firms, or rating
companies) to integrate ESG factors into evolving research and analysis.
• Encourage academic and other research on this theme.
• Advocate ESG training for investment professionals.
UN Principles for Responsible Investment
Principle 2: We will be active owners and incorporate ESG issues into our
ownership policies and practices.
Possible actions:
• Develop and disclose an active ownership policy consistent with the Principles.
• Exercise voting rights or monitor compliance with voting policy (if outsourced).
• Develop an engagement capability (either directly or through outsourcing).
• Participate in the development of policy, regulation, and standard setting (such as promoting and protecting
shareholder rights).
• File shareholder resolutions consistent with long-term ESG considerations.
• Engage with companies on ESG issues.
• Participate in collaborative engagement initiatives.
• Ask investment managers to undertake and report on ESG-related engagement.
UN Principles for Responsible Investment
Principle 3: We will seek appropriate disclosure on ESG issues by the entities
in which we invest.
Possible actions:
• Ask for standardised reporting on ESG issues (using tools such as the Global Reporting Initiative).
• Ask for ESG issues to be integrated within annual financial reports.
• Ask for information from companies regarding adoption of/adherence to relevant norms, standards, codes of
conduct or international initiatives (such as the UN Global Compact).
• Support shareholder initiatives and resolutions promoting ESG disclosure.
UN Principles for Responsible Investment
Principle 4: We will promote acceptance and implementation of the Principles
within the investment industry.
Possible actions:
• Include Principles-related requirements in requests for proposals (RFPs).
• Align investment mandates, monitoring procedures, performance indicators and incentive structures accordingly
(for example, ensure investment management processes reflect long-term time horizons when appropriate).
• Communicate ESG expectations to investment service providers.
• Revisit relationships with service providers that fail to meet ESG expectations.
• Support the development of tools for benchmarking ESG integration.
• Support regulatory or policy developments that enable implementation of the Principles.
UN Principles for Responsible Investment
Principle 5: We will work together to enhance our effectiveness in
implementing the Principles.
Possible actions:
• Support/participate in networks and information platforms to share tools, pool resources, and make use of
investor reporting as a source of learning.
• Collectively address relevant emerging issues.
• Develop or support appropriate collaborative initiatives.
UN Principles for Responsible Investment
Principle 6: We will each report on our activities and progress towards
implementing the Principles.
Possible actions:
• Disclose how ESG issues are integrated within investment practices.
• Disclose active ownership activities (voting, engagement, and/or policy dialogue).
• Disclose what is required from service providers in relation to the Principles
• Communicate with beneficiaries about ESG issues and the Principles.
• Report on progress and/or achievements relating to the Principles.
• Seek to determine the impact of the Principles.
• Make use of reporting to raise awareness among a broader group of stakeholders.
UN Sustainable Development Goals

PRI Survey
• 65%of respondents agree that
acting on the SDGs ‘aligns with
their fiduciary duties.
• 62%of respondents believe that
acting on the SDGs ‘can create
opportunities for increased
investment returns.
• 44% agree that ‘weak progress
towards the SDGs represents a
material risk to their organisation.
• 75%of respondents are already
taking action on three or more of
the SGDs.
Global Reporting Initiative
• GRI – reporting standards for sustainability reporting
• Guidelines developed through global multi-stakeholder process
• International reference:
– Governance approach
– Environmental performance and impacts
– Social performance and impacts
– Economic performance and impacts
GRI framework – aspects & boundaries
GRI framework – specific disclosures
• Universal standards (GRI101 – GRI103)
• Economic (GRI200 – GRI206: covers 13 aspects)
• Environmental (GRI300 – GRI308: covers 30 aspects)
• Social (GRI400 – GRI419: covers 34 aspects):
– Labour practices and decent work
– Human rights
– Society
– Product responsibility
IIRC <IR> framework
• IIRC focused on evolution of corporate reporting
• 2011 – “Towards Integrated Reporting – Communicating Value in the 21st
Century”
• July 2012 – draft outline
• November 2012 –prototype framework
• April 2013 – consultation draft
• December 2013 – international <IR> framework
– Principles-based approach
– Comply or explain basis
– Guiding principles and content elements governing reporting
<IR> framework fundamental concepts

• Value creation
– Short-, medium-, long-term
– Organisational value –
shareholder returns
– Value for other stakeholders
– Inter-relationship between
internal/external value
<IR> framework fundamental concepts
• The capitals:
– Financial capital
– Manufactured capital
– Intellectual capital
– Human capital
– Social and relationship capital
– Natural capital
• The role of the capitals in the framework
Value creation and preservation

Source: IIRC, <IR> Framework, January 2021

“New” corporate governance
• Four basic board structures / systems:
Dual Board System Monistic Board System
Germany America

BoD TMT BoD TMT

Chairman and CEO – dual role

Triad Board System Advanced Board System

China, Japan, ME
Minority Majority
Independent BoD Independent
Audit BoD TMT
Directors Directors
TMT

Executive Chairman Independent Chairman

CEO CEO
BoD – Board of Directors; TMT – Top Management Team
“New” corporate governance

Direction
The The “Directing
“Entrepreneurial” and Controlling”
Board Board

3 4
1 2

The “Prestigious” The “Controlling”

Board Board

Controlling
How boards spend their time
McKinsey Research
% of time directors % of time directors % of time directors
Area spend on each spend on each spend on each
topic, 2013 topic, 2015 topic, 2017

Strategy 28 27 27
Performance management 18 22 20
Organisational health and talent
12 9 13
management
Investments and M&A 16 10 12
Core governance and compliance 13 12 10
Risk management 12 10 9
Shareholder and stakeholder management N/A 9 9
Based on an average total of 24 days spent per year (per director)(2017)
Ideal number of days = 30 per year
Days spent in 2015 = 26 days
Source: McKinsey, The Board Perspective, No.2, March 2018
 McKinsey
Building a forward-looking board

HO
Forward-looking board agenda

Source: McKinsey, Building a Forward Looking Board – February 2014

HO
Risk Management
Defining risk
• Dictionary – “… exposing to danger or hazard”
• Risk is a concept linked to human expectations. It indicates a potential negative
effect on an asset that may derive from given processes in progress or given
future events. In the common language, risk is often used as a synonym of
probability of a loss or of a danger. In the assessment of professional risk, the
concept of risk combines the probability of an event occurring with the impact
that event may have and with its various circumstances of happening

The Chinese symbol for “Crisis”

Source: International Finance Corporation

Risk governance
• Relatively new term
• “The ways in which directors authorise, optimise and monitor risk taking in an
enterprise”
• Includes various aspects:
– Skills
– Infrastructure (organisational structure, controls and IT systems)
– Business culture
• Good risk governance provides:
– Clearly defined accountability
– Clearly defined authority
– Communication / reporting mechanisms
The valuation of risks
• Objective of managing risk – to make business more valuable
• Value is a function of risk and return (for stakeholders)
• Every decision either increases, preserves or erodes value
• Risk is integral to the pursuit of value
• Do not avoid risk, but manage risk exposures to take on the “right” kinds of
risks
• Risk assessment provides the basis for understanding how significant (the
value of) each risk is to the achievement of objectives
The valuation of risks
New product development
Creating value Increased revenue
Increased market share
V “The potential for loss –
or the diminished
A opportunity for gain –
L caused by factors that
can adversely affect the
U achievement of a
Penalties, fines E company’s objectives”
Preserving Losses
value Lawsuits

An effective ERM program may help not only preserve value in the traditional risk
management sense but also help create value for the respective organisations

Source: Deloitte, Practical Enterprise Risk Management, 2012

Creating value from risk taking
• Four sets of inputs determine the value of a business:
– Cash flow generation from assets in place and investments already made
– Expected growth rate in the cash flows during periods of high growth and excess
returns
– Time period elapsing before the firm becomes a stable growth firm (competitive
advantage period)
– Discount rate that reflects the risk of the investments made by the firm and the
financing mix used to fund them (cost of capital)
• Risk management actions altering one of the above can affect the value of an enterprise
– Downside (e.g. insurance – risk hedging)
– Upside (e.g. new markets – risk-taking action)
The valuation of risks
• Risk assessment process needs to be:
– Practical
– Sustainable
– Easy to understand
– Undertaken in a structured and disciplined way
– Correctly sized to the organisation’s size, complexity and geographic reach
• Valuation needs to consider:
– Effect of each risk on enterprise value
– Cost of reducing each risk
– Benefit vs. cost
• Value-maximising risk management strategy
The valuation of risks
• Risk universe: The full range of risks that could impact either positively or
negatively on the ability of the organisation to achieve its long-term
objectives.
• Risk appetite: The amount of risk an organisation is willing to seek or
accept in pursuit of its long-term objectives.
• Risk tolerance: The boundaries of risk taking outside of which the
organisation is not prepared to venture in the pursuit of long-term
objectives. Can be stated in absolutes, for example:
– “We will not deal with a certain type of customer”
– “We will not expose more that X percent of our capital to losses in a certain line of
business.”
Risk management process
Communicate and consult:
• To determine who should be involved in assessment
• Engage those involved in risk treatment and monitoring
• Elicit risk information from a range of stakeholders
• Manage stakeholder perceptions for risk management
• Determine need for communication strategy / plan
• Determine communication channels
Risk assessment process
• Risk assessment follows event identification and precedes risk response
• Purpose is to identify how big the risks are, both individually and
collectively
• Allows management to focus their attention on the most important threats
and opportunities and lay the groundwork for risk response

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Identify risks
• Produces a comprehensive list of risks (and opportunities)
• Organised by category (e.g. financial, operational, strategic)
• And sub-category (e.g. market, credit, liquidity)
• Risks at a business unit level differ from business-level risks
• Prioritisation provides for senior management and board attention on key
risks
• Prioritisation accomplished by undertaking a risk assessment

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Develop assessment criteria
• Common set of assessment criteria to be deployed across business units,
corporate functions and large projects
• Typically assessed in terms of likelihood and impact
• Unlikely events occur too often – and likely events sometimes never occur
• Need to also gauge the vulnerability (to determine what response is
needed) and the speed of onset (to understand the need for agility and
rapid adaptation)

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Develop assessment criteria
• Assessment scales provide a form of measurement
• Scales comprise rating levels and definitions that foster consistent
application by different constituencies
• The more descriptive the scales the more consistent their interpretation by
users
• Need to find the right balance between simplicity and comprehensiveness
• Five-point scales yield better results
• Scales customised to fit industry, size, complexity and culture of the
organisation

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Impact scales
Rating Descriptor Definition
5 Extreme • Financial loss of $X million or more
• Significant prosecution and fines, litigation
• Significant injuries or fatalities to employees or third parties
• Loss of multiple senior staff members
4 Major • Financial loss of $X million up to $X million
• Long-term negative media coverage, loss of market share
• Limited in-patient care required for employees or third parties
• Some senior managers leave, high staff turnover
3 Moderate • Financial loss of $X million up to $X million
• Short-term negative media coverage
• Out-patient medical treatment required for employees or third parties
• Widespread staff morale problems, high staff turnover
2 Minor • Financial loss of $X million up to $X million
• Local reputational damage
• Minor injuries to employees or third parties
• General staff morale problems, increasing staff turnover
1 Incidental • Financial loss up to $X million
• Local media attention rapidly remedied
• No injuries to employees or third parties
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Likelihood scales
Annual Frequency
Annual Frequency Probability
Rating Descriptor Definition
Rating Descriptor Definition Descriptor Definition
5 Frequent Up to once in 2 years or
more
5 Frequent Up to once in 2 years or Almost certain 90% or greater chance of occurrence over
more life of asset or project
4 Likely Once in 2 years up to once in
4 Likely 25
Onceyears
in 2 years up to once in Likely 60% up to 90% chance of occurrence
25 years over life of asset or project
3 Possible Once in 25 years up to once
3 Possible Once in 25 years up to once
in 50 years Possible 35% up to 60% chance of occurrence
in 50 years over life of asset or project
2 Unlikely Once in 50 years up to once
2 Unlikely Once in 50 years up to once
in 100 years
Unlikely 10% up to 35% chance of occurrence
in 100 years over life of asset or project
1
1 Rare
Rare Once
Once in
in 100
100 years
years or
or less
less Rare Less than 10% chance of occurrence over
life of asset or project

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Vulnerability scales
Rating Descriptor Definition
5 Very high •
•
No scenario planning performed
Lack of enterprise-level capabilities to address risks
• Responses not implemented
• No contingency plans in place
4 High •
•
Scenario planning for key strategic risks performed
Low enterprise-level capabilities to address risks
• Responses partially implemented / not achieving control objectives
• Limited contingency plans in place
3 Medium •
•
Stress testing and sensitivity analysis of scenarios performed
Medium enterprise-level capabilities to address risks
• Responses implemented and achieving control objectives most of the time
• Most contingency plans in place
2 Low •
•
Strategic options defined
Medium to high enterprise-level capabilities to address risks
• Responses implemented and achieving control objectives except under extreme circumstances
• Contingency plans in place
1 Very low •
•
Real options deployed to maximise strategic flexibility
High enterprise-level capabilities to address risks
• Responses implemented and achieving objectives – regularly tested for critical risks
• Contingency plans in place and rehearsed regularly
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Speed of onset scales
Rating Descriptor Definition
5 Very high • Very rapid onset, little or no warning, instantaneous
4 High • Onset occurs in a matter of days to a few weeks
3 Medium • Onset occurs in a matter of a few months
2 Low • Onset occurs in a matter of several months
1 Very low • Very slow onset, occurs over a year or more

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Assess risks
• Often performed as a two-stage process
– Initial screening using qualitative techniques
– Followed by a more quantitative treatment of more important risks and opportunities
(not all can be quantified)
• Qualitative assessment uses the assessment scales
• Supported by review of internal and external data
• Assessment conducted through various means – including interviews,
cross-functional workshops, surveys, benchmarking, scenario analysis, at-
risk modelling

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Assess risk interactions
• Requires breaking down silos
• Various methods to review risk interactions:
– Grouping related risks and assigning ownership and oversight for the risk area
– Risk interaction maps
– Correlation matrices
– Fault trees
– Event trees
– Bow-tie diagrams

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk interaction maps
Risk
Supply chain
disruption
Supply chain disruption
Customer preference shift
Economic downturn
Local competitor enters market
New substitutes available
Cost of capital increase >5%
Exchange rate fluctuations
Customer preference
Economic downturn
Local competitor
New substitutes
Exchange rate
Cost of capital
enters market
increase >5%
fluctuations
available
shift
X X
X X X X
X X X X X X
X X X X
X X
X X
X X X X
Bow-tie diagrams

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Prioritise risks
• View risks as a comprehensive portfolio – enables prioritisation for
determining risk responses and for reporting to different stakeholders
• Ranking and prioritisation normally a two-step process:
– First risks are ranked according to one or more criteria, such as impact multiplied by
likelihood or impact multiplied by vulnerability
– Second the ranked risks are reviewed against additional considerations, such as
impact alone, speed of onset, gap between current and desired risk level (risk
tolerance threshold)
• Aggregating risks – hierarchies, heat maps

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk hierarchies

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk and opportunity maps
• Usually two-dimensional representations of impact plotted against
likelihood
• Can also depict other relationships such as impact versus vulnerability

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Heat maps

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
MARCI* charts

*MARCI – Mitigate, Assure, Redeploy and Cumulative Impact

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Heat maps vs. MARCI charts

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk assessment process
Key principles for effective risk assessments
• Governance over the risk assessment process must be clearly established
• Risk assessment begins and ends with specific objectives
• Risk rating scales are defined in relation to organisations’ objectives in
scope
• Management forms a portfolio view of risks to support decision making
• Leading indicators are used to provide insight into potential risks
Risk assessment process
Essential steps for performing a risk assessment
• Identify relevant business objectives.
• Identify events that could affect the achievement of objectives.
• Determine risk tolerance.
• Assess inherent likelihood and impact of risks.
• Evaluate the portfolio of risks and determine risk responses.
• Assess residual likelihood and impact of risks.
Risk assessment process
Common challenges to effective risk assessment
• Risk assessment is viewed as an episodic initiative providing limited value.
• The amount of information and data gathered is difficult to interpret and use.
• Results of the risk assessment are not acted upon.
• Over-controlling risk can be costly and stifle innovation.
• Risk assessments become stale, providing the same results every time.
• Risk assessment is added onto day-to-day responsibilities without being integrated into
business processes.
• Too many different risk assessments are performed across the organisation.
• Risk assessment will not prevent the next big failure.
Risk assessment
• Strategic risk assessment
• Operational risk assessment
• Compliance risk assessment
• Internal audit risk assessment
• Financial statement risk assessment
• Fraud risk assessment
• Market risk assessment
• Credit risk assessment
• Customer risk assessment
• Supply chain risk assessment
• Security risk assessment
• Product risk assessment
• Information technology risk assessment
Risk responses
• Addresses risks identified as unacceptable / tolerable
• Identify options to control / respond to risks:
– Risk avoidance
– Risk transfer
– Risk reduction
– Risk retention
• In-balance sheet tools – financiers
• Off-balance sheet tools – insurance, forward cover

Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk management process
Monitor and review risks:
• Identify, analyse, and plan for new risks
• Track identified risks and monitor trigger conditions
• Review project performance information such as progress/status reports,
issues, and corrective actions
• Re-analyse existing risks to see if the probability, impact, or proper
response plan has changed
• Review the execution of risk responses and analyse their effectiveness
• Ensure proper risk management policies and procedures are being utilised

HO
Enterprise Risk Management
COSO defines ERM as a process that is:
• affected by an entity’s board of directors, management, and other
personnel;
• applied in strategy setting and across the organisation;
• designed to identify potential events that may affect the entity, then
manage risk and keep it within the organisation’s risk appetite; and
• provide reasonable assurance regarding the achievement of the entity’s
objectives.

Source: Committee of Sponsoring Organizations, Enterprise Risk Management—Integrated Framework, 2004

What is ERM?
ERM can integrate siloed risk management efforts to focus the organisation
on key risks

Source: Deloitte, Practical Enterprise Risk Management, 2012

Why ERM?
An effective ERM program may help:
• Identify and manage cross-enterprise risks
• Create a risk-aware culture
• Enable focus on the risks that matter most through integrated
management reporting
• Reduce vulnerability to adverse events
• Align risk appetite and strategy
• Link growth, risk, and return
• Decrease operational surprises and losses
• And more…
Source: Deloitte, Practical Enterprise Risk Management, 2012
Traditional RM vs ERM
Traditional Approach ERM (Risk Intelligent Approach)
• Focus only on the individual risk events • Study interactions between separate individual risks
Management Interactions

Scenario
Analyses

without considerations for its ling term • Assess risks using scenario analysis
Risk

and

impact or risk interactions

• Different risk language and risk • Define a common risk language that cuts across silos
Unrewarded Siloed Risk

management approaches across the
organisational silos
• Poor communication across these silos
• Focus on compliance, security, financial
Rewarded
• Coordinate roles and responsibilities across the
organisation
• Rationalise and standardise controls for risk
management
• Take calculated risks to obtain a competitive

issues advantage
Risk vs.

Risk

• Mitigating risks of fraudulent activities, • Taking risks for attracting more and high-value
physical safety customers

Source: Deloitte, Practical Enterprise Risk Management, 2012

ERM and internal audit
Internal Audit’s Role
Core / Safe – consistent with
Standards
Should be performed with certain • Facilitating identification and evaluation of risks
safeguards
Should not be performed by
Internal Audit
Major ERM Activities
• Giving assurance on the risk management process
• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
• Evaluating the reporting of key risks
• Reviewing the management of key risks (includes testing controls)
• Coaching management in responding to risks
• Coordinating ERM activities
• Consolidated reporting on risks
• Championing establishment of ERM
• Developing risk management strategy for board approval
• Setting risk appetite
• Imposing risk management processes
• Providing management assurance on risks
• Making decisions on risk responses
• Implementing risk responses on management’s behalf
• Assuming accountability for risk management
Source: Deloitte, Practical Enterprise Risk Management, 2012
 McKinsey
A board perspective on enterprise risk
management

HO
Organising for risk-taking
Several keys to becoming a strong risk-taking enterprise:
• Hiring the right people
• Creating incentives for good risk taking
• Aligning organisational size and structure with risk taking
• Understanding the decision-making context
• Integrating risk analysis with the strategy process
• Monitoring and responsiveness
• Ensuring adequate capital for risks retained
• Preserving the enterprise’s options
• Building the optimal risk governance and management structures
• Balancing quantitative and qualitative decision making
Leading practices
• Risk management should be integrated into corporate culture, starting at the board level and with the
governance capability
• Ensure the ERM fundamentals, i.e., the framework, methodology, and tools are established before developing
more advanced risk management practices
• Buy in from CEO and executive team is imperative to the program’s success
• Elevated CRO visibility and responsibility: direct reporting to the board and/or CEO, and increasing frequency of
CRO executive sessions with the board
• Integration of ERM with other management practices (performance management, process management,
compliance management, quality management, etc.)
• Leaders actively shape their risk culture into something purposeful that is aligned with business strategy — and
where each employee takes personal responsibility for managing risk in their work every day understands how
to make the right risk-based decisions
• Integration of risk discussions and ERM monitoring into everyday business is essential – not a documentation
exercise
• Build common language and common metrics
Source: Deloitte, Practical Enterprise Risk Management, 2012
Potential challenges
• ERM training is still limited to risk specialists and people directly involved in the risk
management activities
• Just in this past decade, many companies’ failures were the result of bad decisions on the
part of a handful of people – in these cases, the human factor is the root cause
• In the midst of the recent economic challenges, many companies with well established
ERM functions, processes, and controls still failed
• Missing the cultural and organizational components that may help guard against
ineffective or just plain poor decision-making on the part of individuals
• ERM processes are implemented but organizations may still face challenges with respect
to effective monitoring and reporting
• Lack of awareness is a common barrier to effectiveness

Source: Deloitte, Practical Enterprise Risk Management, 2012

Current trends
• There is increasing link between risk and performance management
• More emphasis has been put on risk related to strategy and its execution
• The focus is shifting from the unrewarded risks to the rewarded risks
• The role of HR in managing risk is expanding
• Social media risk rivals financial risk as an area of concern
• Continuous risk monitoring is rare today, but on the rise
• The changing role of Internal Auditors is not just focused on risk mitigation but also value
creation
• Data integrity and data analysis become increasingly important as systems are integrated
and reporting needs increase
• Boards have been increasingly proactive in risk management and this will likely continue
• The CRO is increasingly a more senior executive position
Source: Deloitte, Practical Enterprise Risk Management, 2012
Compliance
Case Study
MTN South Africa

HO
Compliance structures
• Strategic
• Operational
• Internal – IAS, SHEQ, etc.
• External – external audit, quality audit, etc.
• Departmental
• Combined assurance framework
Developing codes of best practice
• Complex legal environment
• Norms that impact on corporate governance practices:
– International laws (treaties, agreements, directives)
– National laws (legal codes)
– Subnational legislation (state laws)
– Regulations
– Listing rules
– Standards, guidelines, and codes of best practice
– Organic documents of the corporation (company charter)
– Corporate rules and provisions (company by-laws)
Developing codes of best practice
• International reference frameworks
• Professional associations
• Areas to consider:
– Establishing a corporate governance committee
– Chairman of the committee
– Project leader
– Committee members and secretary
– Master schedule (what is to be done)
– Terms of reference
– Stakeholder engagement (who, when, how, etc.)
– Implementation and monitoring – change management
Business ethics
• Principles and standards that determine acceptable conduct within
a business environment
• Integral to governance
• Recognising ethical issues most important step
– Conflict of interest
– Fairness and honesty
– Communications
– Business relationships
Business ethics and social responsibility
• Social responsibility issues:
– Relations with owners and
shareholders
– Employee relations
– Customer relations
– Environmental issues
– Community relations
Voluntary
Responsibilities
being a “good
corporate citizen”;
contributing to the
community and
quality of life
Ethical Responsibilities
being ethical; doing what is right,
just and fair; avoiding harm
Legal Responsibilities
obeying the law (society’s codification of right
and wrong); playing by the rules of the game
Economic Responsibilities
being profitable
Ethics and compliance
Deloitte Ethics and Compliance Framework

Source: Deloitte – 2015

Ethics and compliance
• Tone at the top
• Who sets the tone?
• The board
• The CEO
• The CCO
• Organisational practices:
– Recruiting and screening methodologies
– Mentoring and additional training
– Reward systems
– Employee exits
Ethics and compliance
• Corporate culture (“how things get done”)
• A strong culture of ethics and compliance is the foundation of a robust risk
management program
• Culture is one of the biggest determinants of how employees behave
• Culture of integrity characterised by:
– Organisational values
– Tone at the top
– Consistency of messaging
– Accountability
– Incentives and rewards
Ethics and compliance
• Risk assessments
• Compliance risk exposure needs to be incorporated into the
organisational risk assessment process
• Understand the full spectrum of compliance risks – allocate resources
based on prioritisation
• Framework and methodology should be developed
Ethics and compliance
• Chief Compliance Officer (CCO)
• Operate in a dynamic legal, regulatory, social and economic environment
• Characterised by complex and sometimes conflicting rules and regulations
• CCOs focus on design of programs to ensure compliance with regulations
and guidelines
• Must also respond to emerging new risks
• More strategic role – managing reputational risk
• Broad skills set
Ethics and compliance
• Testing and monitoring
• One of the more critical elements of an effective ethics and compliance
program
• Without testing – difficult to understand what is working and what needs
enhancement
• Robust monitoring systems work as early-warning system
• Testing – periodic selection and review of a sample to gauge and report on
the effectiveness of compliance controls
• Monitoring – ongoing surveillance, review and analysis of KPIs and KRIs to
identify compliance violations
Regulatory compliance management (RCM)

Combined Assurance Model – the three lines of defence

• Collaboration across key governance

functions, such as Legal, Compliance,
Risk Management and Internal Audit
• Business and its operational
management also form a critical line of
defence

Source: Deloitte – 2016

RCM
Legal Operational Compliance Internal Audit
• Maintain and update regulatory universe • Assess adequacy and effectiveness of
• Educate management and board on regulatory compliance processes, systems & structures
interpretation and requirements • Highlight key weaknesses with associated
• Facilitate regulatory risk prioritisation risks noted
• Maintain CRMP • Make recommendations to management and
• Assist business with implementation of operational Legal
board on corrective actions
compliance Operational
Compliance
• Monitor & report compliance matters

Risk Management
• Conduct regulatory risk prioritisation Risk
Internal Audit
Management
• Facilitate completion of compliance risk-register
with ratings and mitigating actions
• Ensure awareness on the part of management &
board on risk consequences of noncompliance
Thank You

Questions and Answers

Peter Hofmann
MFX Options and Solutions (Pty) Ltd
peter@mfxsa.co.za
www.mfxsa.co.za