310 likes | 603 Views
Enterprise Governance, Risk and Compliance Management Pharma Colloquium Princeton University June 6, 2005 . PwC. Agenda. PwC Global CEO Survey on Governance, Risk and Compliance Regulatory Expectations COSO Enterprise Risk Management Open Compliance and Ethics Guidelines.
E N D
Enterprise Governance, Risk and Compliance Management Pharma Colloquium Princeton UniversityJune 6, 2005 PwC
Agenda • PwC Global CEO Survey on Governance, Risk and Compliance • Regulatory Expectations • COSO Enterprise Risk Management • Open Compliance and Ethics Guidelines
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance • PricewaterhouseCoopers recently released the results of its 8th Annual Global CEO Survey. This year’s survey focuses on governance, risk management and compliance (“GRC”), areas of critical concern to business leaders in every industry. • For this year’s report, more than 1,300 CEOs in a wide range of industries were asked to state their perceptions of GRC and to assess their progress, successes, and their failures.
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance HIGHLIGHTS OF THE CEO SURVEY • Very few CEOs (7 percent) view GRC as related solely to laws and regulations, and a majority (54 percent) consider GRC to be an integrated set of concepts and practices. Yet, only 25 percent state that they are managing GRC effectively. • While a majority of CEOs are very confident that their organizations can respond to GRC matters related to domestic laws and regulations (68 percent) and to internal policies and procedures in domestic business units (57 percent), only 26 percent are very confident that their organizations can respond to similar matters related to foreign laws and regulations and only 24 percent to matters related to internal policies and procedures in foreign business units.
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance • In high numbers, the CEOs credit GRC with having a major, positive effect on legal liabilities (64 percent) and on reputation and brand (56 percent). However, they perceive other benefits less clearly. • While many CEOs say that they adequately address stakeholders' concerns that are based on clear-cut legal requirements, fewer feel the same level of comfort with other constituents, whose expectations are more ambiguous. • Fifty-eight percent of the CEOs indicate that GRC expenditures are primarily an investment; 38 percent view them primarily as a cost. Only 17 percent of all CEOs state that they can very accurately measure GRC costs.
PricewaterhouseCoopers 8th Annual SurveyCEO Concerns on Governance, Risk Management & Compliance • The 25 percent of CEOs who state that they are managing GRC effectively have an advantage over their peers in perceiving GRC benefits and in responding to stakeholders' GRC concerns. Advantages are also evident when business units feel ownership of GRC issues and when the organization and collection of GRC information are fully automated. • The CEOs are optimistic about the future. Over 90 percent express confidence in their companies' prospects for revenue growth over the next 12 months. • In response to low-cost competition, nearly 40 percent of the CEOs are engaging in offshoring or planning to do so. While these CEOs see the benefits of offshoring, they also perceive the risks.
Regulatory Scrutiny and Expectations • Regulators looking for an enterprise-wide approach. • Regulators are focusing on conflicts of interest and business conduct. • Regulators lack confidence in traditional governance, risk management and compliance practices. • New standards have emerged to address expectation gap: • NYSE Corporate Governance Standards • COSO Enterprise Risk Management Framework and Application Techniques • US Sentencing Commission Guidelines on Effective Compliance and Ethics Programs • Open Compliance and Ethics Guidelines
COSO ERM – Integrated Framework: Overview The COSO Enterprise Risk Management Framework and Application Techniques Were Released in September 2004 • Genesis • Framework development launched in early 2001 • Over 10,000 hours of development time • Three month public exposure period, over 78 comment letters received and considered • The Framework • A definition of risk and risk management • Concepts, categories, principles and common terminology • Key components of an effective risk management program • Direction for enhancing existing risk management • Criteria for determining the effectiveness of risk management • Application Techniques • Examples of how principles can be applied Framework Application Techniques
COSO ERM – Integrated Framework: Overview COSO ERM Proposes a Definition for Enterprise Risk Management • Enterprise risk management: • Is a process • Is effected by the people • Is applied in strategy setting • Is applied across the enterprise • Is designed to identify events potentially affecting the entity and manage risk within its risk appetite • Provides reasonable assurance to the entity’s management and board • Is geared to the achievement of objectives
COSO ERM – Integrated Framework: Overview The Enterprise Risk Management Framework Foundational Aspects • Starts with objectives • Applies to activities at all levels of the organization • Has eight interrelated Components • Events and risks • Risk appetite and risk tolerance • Portfolio view Key Concepts
COSO ERM – Integrated Framework: Overview Key Concepts: Events and Risk • An Event is an incident or occurrence that could affect the implementation of strategy or achievement of objectives. • Distinguish risk and opportunity • Risk is the possibility that an event will occur and adversely affect the achievement of objectives. • Events that may have a positive impact represent natural offsets or opportunities. • Risks are measured using the same unit of measure as the related objectives. • Time horizons are specified and aligned with objectives.
COSO ERM – Integrated Framework: Overview Key Concepts: Managing Risks Within Risk Appetite and Risk Tolerances • Risk appetite is a high-level view of how much risk management and the board are willing to accept • Management forms a risk appetite at the entity level • Management establishes risk tolerances, which are the acceptable level of variation around objectives, and align with risk appetite
Approach 1 Approach 2 Approach 3 Board Board Board Senior Management Senior Management Senior Management Central Function(s) Central Function(s) Central Function(s) Identify, Assess, Respond Identify, Assess risks Respond Key Concept: Assigning Roles and Responsibilities
The Open Compliance and Ethics Guidelines • OCEG integrates effective practices associated with multiple disciplines into a framework of guidelines for managing compliance and ethics • Governance • Compliance / Legal Management • Ethics Management • Risk Management • Internal Audit • Human Capital Management • Change Management • Quality Management
PwC’s Point of View - Maximizing Value Through Strategic GRC Integration www.pwc.com/governance
Integrate governance, risk management and compliance to drive value, effectiveness and efficiency
Build on a foundation of Enterprise Risk Management and Internal Control
Implement an operating model that integrates GRC over time and leverages both regulatory and quality best practices
Web Portal (Dashboards/Reporting) E-Mail Other Devices Data Repository Business Process Management BusinessRules Engine GL Front Office Systems Back Office Systems Operational Databases External Data Other Databases Policies & Procedures Content/ Doc Mgt Other Strategically integrate Governance, Risk and Compliance Technology and Data Framework Use of an integrated analysis framework for risk and compliance technology allows company to collect essential information and assess the current technology environment across the company. This comprehensive set of requirements can then form the basis of your risk and compliance technology strategy. V. User Interaction Key Perf./ Risk Indicators Provisioning/ Accountability Customer Data Management Survey Other Modules IV. Compliance Modules Management Technologies III. Repository & Processing Application Integration & Filtering Data Quality Security II.Connectivity & Quality Structured Data Company Specific Unstructured Data Company Specific Data I. Sources
Practical Considerations and Evaluation Principles • Benchmark against leading practices (industry, COSO, FSG, OCEG) • Use risk-based approach to assess and recommend depth of management, monitoring, auditing and reporting activities • Develop risk-based monitoring and reporting framework: • Periodically risk assess inventory of requirements based on likelihood and impact • Apply graduated monitoring resources as risk of non-compliance increases (self assessment, compliance monitoring, internal audit, third-party review, etc) • Involve board and senior management committees in reviewing and approving this framework and on an ongoing basis in reviewing and approving ongoing risk assessments and strategic allocation of monitoring resources based on framework principles • Focus on regulatory expectations regarding independence and authority • Assess and recommend structure, roles and responsibilities in a manner that leverages existing strengths and considers practical criteria, such as: • Where does the core competence and subject matter expertise reside? • Who is closest to the activity/ risk? • How to best ensure ownership, authority and independence?
Carlo di FlorioDirector, Governance, Risk & Compliance Practice PricewaterhouseCoopers – New York646-471-2275 • An international lawyer by training, Carlo has worked globally helping leading companies assess, improve and sustain corporate governance, risk management, compliance and ethics leading practices • Carlo Is widely published, serves on a number of standard setting bodies, and is a frequent speaker on the subject of corporate governance, risk management, compliance and ethics. Carlo served on the PwC team that authored the COSO Enterprise Risk Management Framework and Application Techniques, and serves on the Steering Committee of the Open Compliance and Ethics Guidelines.
Considerations in Applying the Framework Considerations in Applying the ERM Framework • Enterprise Risk Management Vision – Develop a vision that sets out how enterprise risk management will be used going forward and how it will be integrated within the organization to achieve its objectives, including how the organization focuses its enterprise risk management efforts on aligning risk appetite and strategy, enhancing risk response decisions, identifying and managing cross-enterprise risks, seizing opportunities, and improving deployment of capital. • Capability Development – The current state assessment and the enterprise risk management vision provide insights needed to determine the people, technology, and process capabilities already in place and functioning, as well as new capabilities that need to be developed.
Considerations in Applying the Framework Considerations in Applying the ERM Framework (continued) • Implementation Plan – The initial plan is updated and enhanced, adding depth and breadth to cover further assessment, design, and deployment. • Change Management Development and Deployment – Actions are developed as needed to implement and sustain the enterprise risk management vision and desired capabilities – including deployment plans, training sessions, reward reinforcement mechanisms, and monitoring the remainder of the implementation process. • Monitoring – Management will continually review and strengthen risk management capabilities as part of its ongoing management process.
Organization Structure (continued) Our experience indicates that the benefits perceived by institutions of increased centralization include: • Enhanced Independence & Objectivity • Enhanced Visibility & Stature Across the Organization • Enables Greater Understanding & Reporting of Enterprise-Wide Risk • Improves Coordination & Consistency in Monitoring and Change Management • Allows Flexible Resource Deployment
Organization Structure (continued) • Objective: Compliance and Ethics function staffing is sufficient to meet program needs. This includes staff skills, expertise, and experience. • Leading practices can include: • Regulation, product, and subject matter specialists • Project management specialists • Technology, risk modeling, data mining, and board/ management reporting specialists • Specialized units in highly-regulated industries (e.g., an advisory unit, a monitoring unit, an examination liaison team, rapid response team, etc.) • Our experience indicates that institutions have found that it is important to consider segregation of duties where appropriate within the function or program, or between centralized resources and line of business “embedded” resources (e.g., advisory & monitoring functions)