Bsi bip 2154 2008

Good Governance A risk-based management systems approach to internal control DAVID SMITH and ROBERT POLITOWSKI Good Governance A risk-based management systems approach to internal control David Smith and Robert Politowski, iMS Risk Solutions Ltd First published in the UK in 2000 Second edition published in the UK in 2008 by BSI 389 Chiswick H igh Road London W4 4AL © British Standards Institution 2000, 2008 All rights reserved Except as permitted under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher Whilst every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents, except to the extent that such liability may not be excluded in law The right of iMS Risk Solutions to be identi f ed as the authors of this Work has been asserted by them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988 Typeset in Frutiger by M onolith – http://www.monolith.uk.com Printed in Great Britain by The MFK Group, Stevenage British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 978-0-580-6431 3-2 Contents Foreword iv Acknowledgements iv I n tro d u cti o n S co p e a n d d e Ri sk m a n a g e m e n t syste m I m pl em en ta ti on of a ri sk m a n a g em en t system 5 O th e r m a n a g e m e n t p ro ce sse s S e l f-a sse ssm e n t q u e sti o n n a i re f n i ti o n s Appendix A Summary of risk management tools 38 Appendix B Comparative table – common elements of quality, environmental and OH&S Systems with PAS 99 40 Appendix C References and further reading 42 iii Foreword This is a guide to how organizations can identify and manage their risks for good governance Since the publication of PD 6668:2000, Managing Risk for Corporate Governance , upon which this book is based, there is a greater appreciation of the importance of risk management in organizations and society at large All organizations take risks but as the ‘credit crunch’ of 2008 showed, these risks need to be balanced They also need to recognize and manage those risks which, if realized, could prejudice the sustainability of the organization The principles apply to organizations worldwide, in the private or public sectors, NGOs, as well as not-forpro f t organizations This book outlines a management framework for identifying the risks and opportunities, determining the extent of the risks, implementing and maintaining control measures and reporting on the organization’s commitment to this process There have been a number of developments in the international and national management standards f eld since PD 6668 was published in 2000 These developments, including those on risk management (2008), occupational health and safety (2007), environmental management (2004) and sustainable development (2006), can help organizations with internal control for good governance Although the principles in many of these documents are similar they not use the same approach This is unfortunate as there is an increasing demand for an integrated approach An integrated approach that was developed in 2006 was PAS 99, Specifcation of common management system requirements as a framework for integration The framework used in this book has elements in common with PAS 99 and helps support the holistic approach to risk management for internal control and good governance Acknowledgements The authors would like to thank Chris Millidge for his help in drafting this document and M ichael Faber for reviewing it for us and his helpful suggestions A risk-averse business culture is no business culture at all (Blair, 2005) iv Introduction This book provides guidance for organizations that wish to develop a framework for managing risk for good governance Research by analysts demonstrates the positive link between good governance and organizational performance In a recent study, the Association of British Insurers – major investors in public companies in the UK – found that ‘well-governed companies will produce better returns for shareholders over time’ (Association of British Insurers, 2008) It is clear that well-managed organizations generally, whether in the public or private sector, are far more likely to satisfy stakeholders The focus of this publication is about managing those risks for the sustainable operation of organizations using a management systems standard approach In this introductory chapter the background to governance and the organizations to which the approach is applicable are brie f y reviewed The chapter explains why the approach adopted is generally applicable and consistent with international management systems standards Background The term ‘corporate governance’ came into general use following a number of major scandals and corporate failures in the late 980s and early 990s, and in the UK became enshrined in the report from the Committee on the Financial Aspects of Corporate Governance (the Cadbury Committee): ‘Corporate governance is the system by which companies are directed and controlled’ (Cadbury et al, 992) Such failures have occurred throughout the world and continue to occur, such as the crisis facing the global banking industry in 2008 The impact of these worldwide corporate failures had the potential to be of such a magnitude that there was the danger that the whole structure of the means of f nancing corporations might become threatened The essence of the limited liability company is that external investors are willing to become shareholders, in the f dence that their interests will be safeguarded Shareholders accept that not all investments will prove rewarding, but they are entitled to assume that there will be no mismanagement on the part of the directors and managers who are in day-to-day control of the corporation If they cannot be f dent that this is the case they will be unwilling to invest, and the basis of modern commercial activity will be under threat Whilst an individual shareholder might have been willing to accept the risk, major investors such as insurance companies or pension funds began to demand that to safeguard the interests of their clients, there should be greater regulation of the behaviour of joint stock companies In 999 the Organisation for Economic Co-operation and Development (OECD) produced a de f nition of corporate governance and a set of principles These principles were revised in 2004 and at a high level comprise the following requirements of a corporate governance framework (Organisation for Economic Co-operation and Development, 2004a) It should: ‘… promote transparent and effcient markets, be consistent with the rule of law and clearly articulate the division of responsibilities among different supervisory, regulatory and enforcement authorities… ’; ‘… protect and facilitate the exercise of shareholders’ rights… ’; ‘… ensure the equitable treatment of all shareholders, including minority and foreign shareholders All shareholders should have the opportunity to obtain effective redress for violation of their rights… ’; Introduction ‘… recognise the rights of stakeholders established by law or through mutual agreements and encourage active co-operation between corporations and stakeholders in creating wealth, jobs, and the sustainability of fnancially sound enterprises… ’; ‘… ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the fnancial situation, performance, ownership, and governance of the company… ’; ‘… ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board’s accountability to the company and the shareholders… ’ Th e re a re a n u m b e r o f su b -cl a u se s to e a ch o f th e m a i n p ri n ci p l e s th a t co ve r sp e ci Th e re h a ve b e e n fu rth e r d e f f c a re a s n i ti o n s o f g o ve rn a n ce a n d l e g i sl a ti ve p o we rs i n m a n y co u n tri e s a ro u n d th e wo rl d Th e se n g e fro m th e vo l u n ta ry co d e o f p cti ce a p p ro a ch a s se e n i n th e U K to th e m o re p re scri p ti ve S a rb a n e s-O xl e y Act (U n i te d S ta te s o f Am e ri ca , 00 ) – a re sp o n se fro m l e g i sl a to rs i n th e U S to h i g h -p ro f l e fa i l u re s su ch a s E n ro n a n d Wo rl d Co m O rg a n i z a ti o n -wi d e ri sk m a n a g e m e n t a n d i n te rn a l co n tro l a re i m p o rta n t fo r th e su cce ssfu l ru n n i n g o f a n y b u si n e ss a n d sh o u l d re m a i n re l e va n t o ve r ti m e i n th e co n ti n u a l l y e vo l vi n g g l o b a l b u si n e ss e n vi ro n m e n t Th e O E CD p ri n ci p l e s sp e ci f ca l l y h i g h l i g h t b o a rd re sp o n si b i l i ty: Ensuring the integrity of the corporation’s accounting and fnancial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, fnancial and operational control, and compliance with the law and relevant standards (O E CD Pri n ci p l e VI D ) Th i s h a s l e d to th e fo rm a l co n si d e ti o n o f ri sk a n d th e i d e n ti a sp e ct th a t ca n b e n e f t fro m sp e ci f f ca ti o n o f i t a s a ‘ se p a te ’ c m a n a g e m e n t a rra n g e m e n ts Th a t i s n o t to sa y th a t o rg a n i za ti o n s h a ve n o t p re vi o u sl y re co g n i z e d th e se ri sks, b u t si m p l y th a t a fo rm a l a n d stru ctu re d a p p ro a ch h a d n o t b e e n a fe a tu re i n m a n y o rg a n i za ti o n s Th e ch a cte ri sti cs o f m a n y su cce ssfu l o rg a n i z a ti o n s te n d to re f e ct a n a tti tu d e a n d cu l tu re o f i d e n ti fyi n g o p p o rtu n i ti e s, re co g n i zi n g th e ri sks a n d m a n a g i n g th e m a p p ro p ri a te l y Th e re a re u p si d e s a n d d o wn si d e s to th e ri sks th a t co m e wi th e ve ry o p p o rtu n i ty a n d i t i s n e ce ssa ry to se l e ct th e ri g h t b a l a n ce O rg a n i z a ti o n s th a t a re ri sk a ve rse a re u n l i ke l y to th ri ve i n th e l o n g te rm b e ca u se o f co n ti n u a l ch a n g e i n th e m a rke l a ce a n d so ci a l e xp e cta ti o n s Application of this approach Al l o rg a n i za ti o n s n e e d to d i sp l a y g o o d g o ve rn a n ce , wh e th e r th e y a re co rp o te b o d i e s, p ri va te e n ti ti e s, p u b l i c b o d i e s o r ch a ri ti e s I n a n i n cre a si n g l y co m p l e x wo rl d wh e re sta ke h o l d e rs p l a y a n e ve r m o re i m p o rta n t ro l e th e re i s th e e xp e cta ti o n o f g o o d g o ve rn a n ce a n d tra n sp a re n cy Th e re a re a va ri e ty o f ch a cte ri sti cs o f g o o d g o ve rn a n ce i n cl u d i n g p ro m o ti n g va l u e s i n th e o rg a n i z a ti o n , fo cu si n g o n th e p u rp o se o f th e o rg a n i z a ti o n , e ffe cti ve p e rfo rm a n ce , e n g a g e m e n t wi th sta ke h o l d e rs a n d , m o st si g n i f ca n tl y fro m th e p e rsp e cti ve o f th i s b o o k, th e m a n a g e m e n t o f ri sk Introduction Many organizations need to manage a whole host of risks, for example: — corporate organizations operate in an increasingly complex world with global impacts, international supply chains and informed public opinion expressing concern about social responsibility; — public bodies have to determine the bene f ts of new technology against the risk of data loss; — charitable bodies have to balance the risks of supporting international disasters against the risks faced by their workers and donors’ concerns about misuse of aid; — public bodies have similar accountabilities to their ‘shareholders’ – often taxpayers; — charitable concerns need to assure their ‘investors’ that their donations are being applied to the purpose for which they were intended The principles of good governance equally apply to public bodies, charities, voluntary bodies, etc There is a need for good governance of public bodies to re f ect the need to ensure value for money, transparent decision making and reporting, proper codes of conduct, accountability and so on Despite the difference between the public and private sectors it is essential that people know for what they are responsible, and for what they are accountable There is also a drive for the public sector to be more creative and prepared to take more calculated business risks in order to deliver the best possible services to the public The public and private sectors differ in this respect The public sector needs good governance to enable it to take certain calculated risks, whilst the private sector needs good governance in order to manage the risks that are taken in everyday business One way of expressing the relationship between threat and opportunity can be seen in Figure 1 EFFECT OF TH REAT I M PORTANCE OF OPPORTUNI TY Combined or individual risk Unacceptabl e Critical Acceptabl e if worthwhil e Desirabl e Insignificant/ broadl y acceptabl e Negl igibl e Source: BS 6079-3:2000 Figure 1 — Relationship between threat and opportunity Public bodies need to direct and control their functions and nowhere can this be more clearly demonstrated than in local government Local government bodies have a real need to relate to their communities in a similar manner to corporate bodies, and to demonstrate continuous improvement and value for money through outward-looking, accountable and responsive services Introduction Risk management and internal control should be included in all dimensions of public bodies such as: — making public statements to stakeholders on the risk management strategy, process and framework, demonstrating accountability; — the capability and capacity within the organization; — mechanisms for monitoring and reviewing effectiveness against agreed standards; — robust systems for identifying, pro f ling, controlling and monitoring all signi f cant strategic, programme, project and operational risks; — providing openness by involving all those associated with planning and delivering services, including partners All the above issues are equally applicable to charities, clubs, societies and associations Large charitable concerns rely heavily on public donations to support their activities internationally There is clear recognition amongst boards of directors and investors – mostly those in the professional investment market – that there is a link between good corporate governance and organizational performance that is valued by stakeholders There are a number of international ratings organizations that focus research on the development of scoring systems for ranking governance performance This research is often used by professional investors to assist in making informed decisions to formulate an overall investment strategy, as a screening tool for analysts and portfolio managers and to adjust for governance risk when assessing credit risk, etc Additionally, companies themselves are beginning to use similar ranking research to help in their decision making, to reduce the chance of being targeted for shareholder action, to increase market trust in reported earnings, as a support in seeking lower borrowing costs, and in attracting highly quali f ed and experienced directors who can add value to the organization and achieve a higher market capitalization A management systems approach Good risk management is an essential element of good governance and it is against this background that this publication focuses on a risk management framework to help organizations in applying the principles of risk management throughout the whole organization from the lowest operating levels to the board of directors It is clearly important that all aspects of corporate governance are managed in a holistic manner This book focuses speci f cally on the important management of risk and the development of effective internal control mechanisms: Clause C.2 of The Combined Code on Corporate Governance (Financial Reporting Council, 2008) as expanded upon from Internal Control – Revised Guidance for Directors on the Combined Code (Financial Reporting Council, 2005) Chapter provides details of the scope and de f nitions used A more detailed description of an approach to managing risks is given in Chapter , which lays out a framework of the issues that should be addressed and follows a Plan, Do, Check, Act (PDCA) approach that is consistent with international management systems standards This approach is based on the model given in PAS 99:2006 (The requirements included in section of the PAS can be used as a speci f cation against which organizations can be assessed by changing the word ‘should’ to ‘shall’.) Appendix B details the correspondence between this publication and the requirements of standards on quality, environment, health and safety and information security, by way of example Introduction Chapters and contain a practical guide to delivering business requirements with respect to risk management for good governance Chapter provides a questionnaire to enable organizations to carry out a self-assessment of their systems for governance A good management system will enable identi f cation of risks, their management and help in any disclosure requirements for stakeholders The aspect of disclosure is speci f cally highlighted in the OECD principles for governance, which additionally call for inclusion of material information on ‘Foreseeable risk factors’ (Principle V.A.6) Failure to identify risk of data loss A government department was seeking to transfer personal data to another department in a short space of time Effective procedures were in existence but the time and cost of removing the sensitive elements of the data was considered too great As a result, when the data was lost in transit the personal details of many millions of people were lost The loss of this information has had many repercussions: • • • ASSESSMENT OF CORPORATE RISK ENABLING ORGANIZATIONAL CULTURE loss of fdence by the public in government departments handling fdential personal information; individuals whose details have been compromised; a possibility for fraudulent activity through the use of this information remains for many years to come EFFECTIVE MANAGEMENT SYSTEMS Charity and aid Figure — Three key components for delivering effective corporate governance Figure shows a simple model of the interrelationship of the three main components of a risk management system for good governance It is essential that the risks are identi f ed and understood and decisions taken on how they will be managed A key feature of a management systems approach is identi f cation of objectives and a programme for delivering the de f ned objectives Many international management systems standards have differing approaches; PAS 99 provides a common approach for managing business risk requirements in an integrated manner Many organizations already have management systems in place; meeting the requirements of these international standards and the approach builds upon these to ensure the bene f ts of existing systems can be utilized, eliminating redundancy and increasing eff ciency H owever, good internal control and risk management systems will not succeed in delivering the organizational objectives unless the arrangements are embedded within the organization and individuals are committed to Charity A was challenged by a government department that had made a grant for an aid project The charity was asked to demonstrate that its governance procedures were effective in the delivery of aid as news media reports suggested that those supposedly receiving the aid had made claims that it was inappropriate for their needs and some had fallen into the wrong hands This threatened to become a scandal and affect not only funding from government but also the many donations from members of the public who regularly made a signifcant contribution to overall funds The need for an effective control framework and monitoring and auditing became obvious Implementation of a risk management system — M a n a g e rs d e m o n stra ti n g g e n u i n e i n te re st i n ‘ sh o p f o o r’ a cti vi ti e s wi l l e n co u g e b u y-i n b y e m p l o ye e s a n d h e l p e n co u g e fe e d b a ck o n p o te n ti a l p ro b l e m s a n d o p p o rtu n i ti e s fo r i m p ro ve m e n t — Re g u l a r ch e cks to e n su re wa ste i s d i sp o se d o f a p p ro p ri a te l y f — E va l u a ti n g th e e f — M o n i to ri n g th e sa ti sfa cti o n o f h o u se h o l d e rs wi th co u n ci l se rvi ce s ci e n cy a n d co st o f d e a l i n g wi th p l a n n i n g a p p l i ca ti o n s I n a n y e ve n t, th e m e th o d s u se d sh o u l d b e p ro a cti ve , th a t i s, se e ki n g i n fo rm a ti o n o n wh a t i s h a p p e n i n g a n d i d e n ti fyi n g a re a s o f p o ssi b l e co n ce rn b e fo re th e y b e co m e a n i ssu e Evaluation o f compliance At va ri o u s ti m e s th e o rg a n i za ti o n n e e d s to d e te rm i n e wh e th e r i t i s co m p l i a n t wi th a n y re g u l a to ry co n tro l s o r re q u i re m e n ts th a t a p p l y to i ts o p e ti o n s Th i s e va l u a ti o n m a y n e e d to b e a g a i n st th e re q u i re m e n ts sp e ci f e d i n o th e r co u n tri e s i f th e o rg a n i za ti o n p ro vi d e s g o o d s o r se rvi ce s to o th e r p a rts o f th e wo rl d Th e fre q u e n cy o f th i s e va l u a ti o n ca n va ry d e p e n d i n g o n th e ri sk a n d th e co n tro l s th a t a re a p p l i e d A si m i l a r p ro ce ss i s a l so a p p ro p ri a te fo r e va l u a ti n g cu sto m e r o r sta ke h o l d e r re q u i re m e n ts Internal audit M a n y p e o p l e a re fa m i l i a r wi th th e co n ce p t o f a u d i ti n g fo r fu n cti o n o f f f n a n ci a l p u rp o se s Th e n a n ci a l a u d i to rs i s q u i te d i ffe re n t fro m th a t o f a syste m s a u d i to r I n th e ca se o f ri sk m a n a g e m e n t fo r co rp o te g o ve rn a n ce , th e i n te rn a l a u d i t sh o u l d b e fo cu se d o n th e ri sk m a n a g e m e n t syste m s a n d th e i r a b i l i ty to d e l i ve r th e o rg a n i z a ti o n ’s p o l i ci e s a n d o b j e cti ve s Th e a u d i to r h a s a re sp o n si b i l i ty to m a ke su re th a t th e d e f n e d syste m i s i n fa ct b e i n g fo l l o we d Au d i t co n si d e ti o n s a t a h i g h l e ve l sh o u l d i n cl u d e : — b o a rd p o l i cy o b j e cti ve s a n d p ri o ri ti e s; — sta ke h o l d e r re q u i re m e n ts; — sta tu to ry a n d re g u l a to ry re q u i re m e n ts; — ri sks to th e o rg a n i z a ti o n ; — syste m s a n d o p e ti o n a l a rra n g e m e n ts Th e a u d i t sh o u l d e sta b l i sh th a t th e fo l l o wi n g re q u i re m e n ts h a ve b e e n m e t: — p l a n s p re p a re d , d o cu m e n te d a n d co m m u n i ca te d ; — re sp o n si b i l i ti e s d e si g n a te d ; — ti m e -sca l e s se t to a ch i e ve o b j e cti ve s; — p l a n s re vi e we d a t p l a n n e d re g u l a r i n te rva l s; — d o cu m e n ta ti o n o f ro l e s, re sp o n si b i l i ti e s, a n d a u th o ri ti e s; — a m a n a g e m e n t re p re se n ta ti ve h a s b e e n a p p o i n te d a s a ri sk o wn e r; — re so u rce s (i n cl u d i n g h u m a n re so u rce s, sp e ci a l i z e d ski l l s, te ch n o l o g y a n d — ro l e s, re sp o n si b i l i ti e s a n d a u th o ri ti e s d e — e ffe cti ve p ro ce d u re s fo r e n su ri n g th e co m p e te n ce o f p e rso n n e l to ca rry o u t f n a n ci a l re so u rce s) ; f n e d a n d d o cu m e n te d ; th e i r d e si g n a te d fu n cti o n s Al l i n te rn a l a u d i t a cti vi ti e s sh o u l d re su l t i n a fo rm a l re p o rt d e a l i n g wi th th e sp e ci th a t h a ve b e e n a u d i te d Th i s re p o rt sh o u l d b e co n 31 f f c a re a s d e n ti a l a n d , wh i l st a sp e cts o f th e Implementation of a risk management system f n d i n g s m a y h a ve b e e n d i scu sse d wi th a p p ro p ri a te l e ve l s o f m a n a g e m e n t, i t sh o u l d b e p ro vi d e d d i re ctl y to th e to p m a n a g e m e n t re sp o n si b l e fo r ri sk m a n a g e m e n t Pe rso n n e l ch o se n to u n d e rta ke th e i n te rn a l a u d i t sh o u l d b e se l e cte d o n th e b a si s o f co m p e te n ce a n d i n d e p e n d e n ce fro m th e a re a b e i n g a sse sse d Improvement General N o syste m sh o u l d b e sta ti c a s th e e xp e cta ti o n s o f sta ke h o l d e rs co n ti n u a l l y ch a n g e o ve r ti m e M o re o ve r, th e a b i l i ty to m a n a g e ri sk m a y we l l i m p ro ve , a n d th e syste m n e e d s to ta ke a cco u n t o f e m e rg i n g ri sks Th e p ro ce sse s o f m o n i to ri n g , m e a su re m e n t a n d a u d i t p ro vi d e va l u a b l e i n fo rm a ti o n o n wh e re i m p ro ve m e n ts to th e syste m a re n e ce ssa ry o r ca n b e m a d e Analysis o f noncon formity I f th e syste m i s fa i l i n g i n so m e wa y, th i s i s o fte n te rm e d a s a n o n co n fo rm i ty a n d a rra n g e m e n ts n e e d to b e e sta b l i sh e d fo r a n a l ysi n g a n d co rre cti n g th i s Th e ro o t ca u se fo r th e n o n co n fo rm i ty sh a l l b e d e te rm i n e d a n d th e fa i l i n g a d d re sse d Th e l e ve l a t wh i ch re sp o n si b i l i ty a n d a u th o ri ty fo r a n y sp e ci f c a cti o n to d e a l wi th p re ve n ti n g n o n co n fo rm a n ce wi l l o b vi o u sl y d e p e n d u p o n th e n a tu re o f th e ri sk Th i s sh o u l d b e d e a l t wi th a t a su f f ci e n tl y se n i o r l e ve l to d e m o n stra te co m m i tm e n t to th e p ro ce ss Th e re n e e d s to b e so m e p ro ce ss i n sti g a te d to ch e ck th a t a cti o n h a s b e e n ta ke n a n d th a t i t h a s b e e n e ffe cti ve i n d e a l i n g wi th th e ro o t ca u se o f th e n o n co n fo rm a n ce An y n e w a rra n g e m e n ts p u t i n p l a ce sh o u l d b e e va l u a te d b e fo re i m p l e m e n ta ti o n to d e te rm i n e th a t n o n e w u n a cce p ta b l e ri sks wi l l b e cre a te d Management review Re vi e wi n g ri sk m a n a g e m e n t g o ve rn a n ce syste m s i s a fu n d a m e n ta l re q u i re m e n t i n a n y o rg a n i za ti o n Th e re vi e w e n su re s th a t i n te rn a l co n tro l s a re b e i n g a p p l i e d e ffe cti ve l y, a s i n te n d e d , a n d d e l i ve r o rg a n i z a ti o n a l o b j e cti ve s M o st i m p o rta n tl y, re vi e ws p ro vi d e th e m e ch a n i sm to d ri ve th e co n ti n u a l i m p ro ve m e n t re q u i re d o f a n y m a n a g e m e n t syste m Th e re a re sp e ci f c i n p u ts to th e m a n a g e m e n t re vi e w a n d wh a t i s e xp e cte d i n th e fo rm o f o u u ts Th i s re i n fo rce s th e vi ta l ro l e o f th e se re vi e ws i n d ri vi n g th e co n ti n u a l i m p ro ve m e n t cycl e — Results of audits Th e a u d i t p ro ce ss sh o u l d b e e m b ce d a s a n e sse n ti a l a cti vi ty a n d to p m a n a g e m e n t sh o u l d vi e w th e o u u ts i n a p o si ti ve m a n n e r, wh e th e r th e re su l ts a re p o si ti ve o r n e g a ti ve Th e re su l ts a re o n e o f th e m o st i m p o rta n t i n p u ts to th e re vi e w p ro ce ss Th e y sh o u l d h e l p to i d e n ti fy wh e th e r th e e xi sti n g f Feedback from stakeholders a rra n g e m e n ts a re su f — ci e n t fo r d e l i ve ri n g th e p o l i cy a n d o b j e cti ve s An y e m e rg i n g tre n d s, sta ke h o l d e r re q u i re m e n ts o r i n fo rm a ti o n fro m e xte rn a l so u rce s sh o u l d b e d e a l t wi th a s th e y a ri se th ro u g h o u t th e ye a r Th e m a n a g e m e n t re vi e w n e e d s to co n si d e r wh e th e r th e re i s a n e e d fo r n e w stra te g i e s o r a rra n g e m e n ts 32 Implementation of a risk management system For the system to be effective there is a need to involve the workforce and encourage its contribution Its concerns should be considered with a view to identifying opportunities for continuing and/or improved commitment to the organization in its management of the risks for good governance — Status of remedial actions The organization should review any actions it has taken or is taking following any incidents — Follow-up actions from previous management reviews The follow-up actions should be presented and an indication given where possible of the timeliness of the implementation of new measures and their effectiveness — Changing circumstances, including developments in legal and other requirements This includes both internal and external factors, such as takeovers or mergers, reorganizations, new technology, new projects and any new legal or regulatory impacts — — Data and information on organizational performance This is where the overall performance of the organization is reviewed to see how well it has been managing its risks for governance and whether the objectives have been delivered within the de f ned schedule Recommendations for improvement A frequent misconception is that the management review should just be carried out annually In reality, the frequency should be determined by circumstances To be truly effective, the management review of the organization’s processes should be structured around areas of delivery where uncertainty and risk matter most The management review differs from the audit in that it is more strategic in its focus For example, the audit may conclude that everything is in place to meet the policy and objectives, but the management review may show, for example, that internal or external considerations justify a change As well as seeking to remedy de f ciencies, the management review offers the opportunity for a more proactive approach: to consider where the organization wishes to be in the governance of its risks and how it can maximize the resulting bene f ts 33 Other management processes Th e re a re m a n y i n te rn a ti o n a l a n d n a ti o n a l m a n a g e m e n t syste m p ro ce sse s th a t ca n h e l p a n o rg a n i z a ti o n i n th e i m p l e m e n ta ti o n , o p e ti o n a n d m a i n te n a n ce o f i n te rn a l co n tro l a rra n g e m e n ts Th e re m a y b e i n d i vi d u a l a rra n g e m e n ts to d e a l wi th sp e ci th a t a re ve ry so u n d i n th e m se l ve s, wh i ch a re e xte rn a l l y a sse sse d a n d ce rti f f c ri sks e d Th e se i n d i vi d u a l a rra n g e m e n ts m a y b e u se fu l a s a fra m e wo rk fo r d e ve l o p i n g o ve l l i n te rn a l co n tro l a n d ri sk m a n a g e m e n t a rra n g e m e n ts I n a n y e ve n t, th e u se o f e xte rn a l p a rti e s to u n d e rta ke i n d e p e n d e n t a u d i t sh o u l d g i ve a ssu n ce to th e b o a rd th a t a rra n g e m e n ts a re so u n d a n d ca n m e e t re p o rti n g re q u i re m e n ts e xp e cte d u n d e r co rp o te g o ve rn a n ce fra m e wo rks Ad d i ti o n a l l y, th e u se o f su ch ce rti f e d syste m s ca n a ssi st i n e m b e d d i n g wi th i n th e o rg a n i z a ti o n a rra n g e m e n ts fo r ri sk a sse ssm e n t a n d i n te rn a l co n tro l , e n a b l i n g a n o rg a n i za ti o n to d e m o n stra te co m p l i a n ce to i n te re ste d sta ke h o l d e rs Th e l i st b e l o w i n cl u d e s sta n d a rd s th a t re l a te to so m e a re a s th a t m i g h t b e co n si d e re d : B S 9 –1 : 06 , B S 9 –2 : 07 , Business continuity management — Part : Code of practice Business continuity management — Part 2: Specifcation B S 1 0 (D PC) (2 00 8) B S E N I S O 400 : 04, guidance for use Code of practice for risk management Environmental management systems — Requirements with Food safety management systems — Requirements for any organization in the food chain B S E N I S O 2 00 : 00 , Information technology — Security techniques — Information security management systems — Requirements B S I S O /I E C 01 : 0 ; B S 7 9 -2 : 00 , B S O H S AS 80 01 : 00 , — Requirements S A80 00 : 0 , Occupational health and safety management systems Social Accountability Pl e a se se e Ap p e n d i x B fo r co rre sp o n d e n ce o f th e re q u i re m e n ts b e twe e n va ri o u s m a n a g e m e n t syste m s fo r q u a l i ty, e n vi ro n m e n t, h e a l th a n d sa fe ty a n d i n fo rm a ti o n se cu ri ty 34 Self-assessment questionnaire Th e si m p l e q u e sti o n s se t o u t b e l o w wi l l e n a b l e yo u to e sta b l i sh wh e re yo u r o rg a n i za ti o n i s p o si ti o n e d wi th re sp e ct to th e b a si c e l e m e n ts i t n e e d s fo r co n tro l l i n g i ts ri sks E a ch q u e sti o n a ttra cts a sco re b e twe e n a n d S co re wh e re th e i ssu e h a s n o t b e e n a d d re sse d , fo r p a rti a l co m p l i a n ce a n d i f yo u r o rg a n i za ti o n fu l l y sa ti s I s to p m a n a g e m e n t co m m i tte d to e ffe cti ve ri sk m a n a g e m e n t fo r g o o d g o ve rn a n ce ? I s th e ri sk m a n a g e m e n t syste m b a se d o n th e b e st a va i l a b l e i n fo rm a ti o n ? I s ri sk m a n a g e m e n t p a rt o f th e p ro ce ss o f d e ci si o n m a ki n g i n yo u r o p e ti o n s? Are yo u r ri sk m a n a g e m e n t syste m s a n d p o l i ci e s a p p ro p ri a te fo r th e si ze , co m p l e xi ty a n d n a tu re o f yo u r o rg a n i z a ti o n ? Are yo u r ri sk m a n a g e m e n t syste m a n d p o l i ci e s a p p ro p ri a te fo r th e n a tu re o f th e ri sks yo u r o rg a n i z a ti o n fa ce s, re f e cti n g b e st p cti ce i n yo u r se cto r? D o e s th e o rg a n i z a ti o n h a ve a p ro ce ss fo r i d e n ti f ca ti o n o f ri sks? H a ve yo u i d e n ti f e d th e ri sks to th e o rg a n i z a ti o n ? H a ve yo u a sse sse d th e l i ke l i h o o d a n d co n se q u e n ce s o f th e si g n i f ca n t ri sks b e i n g re a l i ze d ? I s th e ri sk m a n a g e m e n t syste m syste m a ti c a n d stru ctu re d ? D o e s th e ri sk i d e n ti f ca ti o n p ro ce ss ta ke i n to a cco u n t o rg a n i z a ti o n a l cu l tu re , h u m a n fa cto rs a n d b e h a vi o u r? I s yo u r ri sk m a n a g e m e n t syste m d yn a m i c a n d re sp o n si ve to ch a n g e ? H a ve yo u a sse sse d th e ri sks th a t co u l d d a m a g e yo u r o rg a n i z a ti o n ’s re p u ta ti o n ? H a ve yo u a sse sse d th e ri sks th a t co u l d re su l t i n p ro d u cti o n l o ss o r se rvi ce fa i l i n g ? 35 f e s th e q u e sti o n Self-assessment questionnaire H a ve yo u a sse sse d th e ri sk th a t co u l d a d ve rse l y a ffe ct yo u r m a rke t p o si ti o n ? D o yo u h a ve a m e ch a n i sm to i d e n ti fy a n d a sse ss ri sks o n a n o n g o i n g b a si s? H a ve yo u e sta b l i sh e d i n te rn a l co n tro l a rra n g e m e n ts to d e a l wi th th e i d e n ti f e d ri sks? I s to p m a n a g e m e n t u p to d a te wi th d e ve l o p m e n ts i n re g u l a to ry fra m e wo rks, te ch n o l o g i ca l i ssu e s a n d p o l i ti ca l i ssu e s, wh i ch m a y a ffe ct th e o rg a n i za ti o n ’s m a rke t? I s th e re a p ro ce ss i n p l a ce to i d e n ti fy l e g a l a n d o th e r re q u i re m e n ts th a t th e o rg a n i za ti o n n e e d s to a d d re ss? H a ve yo u i d e n ti f e d yo u r o rg a n i za ti o n ’s sta ke h o l d e rs a n d th e i r e xp e cta ti o n s? H a ve yo u e sta b l i sh e d a co n ti n g e n cy p l a n a n d e va l u a te d i ts e ffe cti ve n e ss? H a ve yo u e sta b l i sh e d co n ti n u i ty a rra n g e m e n ts i n th e e ve n t o f a d i sa ste r o r e m e rg e n cy? D o e s to p m a n a g e m e n t h a ve cl e a r o b j e cti ve s fo r th e o rg a n i za ti o n th a t h a ve b e e n co m m u n i ca te d to e m p l o ye e s a s a p p ro p ri a te ? D o e s m a n a g e m e n t d e m o n stra te th e n e ce ssa ry co m p e te n ce a n d i n te g ri ty to cre a te a cl i m a te o f tru st? Are th e a rra n g e m e n ts e m b e d d e d i n th e cu l tu re o f th e o rg a n i za ti o n ? Are m a n a g e m e n t co n tro l a rra n g e m e n ts i m p l e m e n te d e ffe cti ve l y th ro u g h o u t th e o rg a n i z a ti o n ? D o e s m a n a g e m e n t e n su re th a t p e o p l e a re a d e q u a te l y tra i n e d to m a n a g e th e ri sks th e y a re a ssi g n e d to co n tro l ? D o th e p e o p l e i n th e o rg a n i za ti o n h a ve th e kn o wl e d g e , ski l l s, to o l s a n d re so u rce s to su p p o rt th e a ch i e ve m e n t o f th e co m p a n y’s o b j e cti ve s? Are a rra n g e m e n ts i n p l a ce fo r d o cu m e n ti n g a rra n g e m e n ts a n d re co rd s ke p t wh e re n e ce ssa ry? 36 Self-assessment questionnaire I s th e re e ffe cti ve co m m u n i ca ti o n b e twe e n to p m a n a g e m e n t a n d th e m a n a g e m e n t te a m , o th e r e m p l o ye e s a n d o th e rs to e n su re th a t a l l p a rti e s u n d e rsta n d th e co m p a n y’s a p p e ti te fo r ri sk? Are th e re e sta b l i sh e d ch a n n e l s o f co m m u n i ca ti o n fo r i n d i vi d u a l s to re p o rt su sp e cte d b re a ch e s o f l a w, re g u l a ti o n s, e tc – a ‘ wh i stl e -b l o we r’s ch a rte r’ ? Are o p e ti o n a l co n tro l s m o n i to re d o n a re g u l a r b a si s to e n su re co n ti n u e d e ffe cti ve n e ss? D o yo u re g u l a rl y re vi e w a rra n g e m e n ts fo r co m p l yi n g wi th cu sto m e r, sta ke h o l d e r a n d re g u l a to ry re q u i re m e n ts? D o yo u re g u l a rl y a u d i t th e ri sk m a n a g e m e n t co n tro l a rra n g e m e n ts? D o yo u re g u l a rl y se e k to i m p ro ve yo u r a rra n g e m e n ts? D o th e re su l ts o f a u d i ts, i n ci d e n ts a n d p e rfo rm a n ce re p o rts re g u l a rl y fo rm p a rt o f th e re vi e w p ro ce ss? D o yo u re p o rt re g u l a rl y u p o n yo u r ri sk m a n a g e m e n t p ro ce sse s? If your total score is: less than 30: yo u r o rg a n i za ti o n h a s h a rd l y m a d e a sta rt o n th e e ffe cti ve m a n a g e m e n t o f i ts ri sks fo r g o o d g o ve rn a n ce a n d n e e d s to m o ve fo rwa rd q u i ckl y 31 to 60: more than 60: yo u r o rg a n i za ti o n h a s m a d e a sta rt b u t n e e d s to d o m o re p ro vi d e d yo u d o n o t sco re l e ss th a n i n a n y a re a , th e o rg a n i za ti o n sh o u l d b e we l l o n th e wa y to e ffe cti ve co n tro l 37 Appendix A Summary of risk management tools Table A.1 Summary of risk management tools Tool I d e n ti Ri sk ch e ckl i sts/Pro m p t l i sts f ca ti o n wo rksh o p N o m i n a l g ro u p te ch n i q u e Ri sk b re a kd o wn stru ctu re D e l p h i te ch n i q u e Pro ce ss m a p p i n g Ca u se -a n d -E ffe ct d i a g m s Ri sk m a p p i n g /Ri sk p ro f ca ti o n ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Ri sk q u e sti o n n a i re s Ri sk i d e n ti f ling Ri sk I n d i ca to rs B i n sto rm i n g / ‘ th o u g h t sh o we r’ e ve n ts I n te rvi e ws a n d fo cu s g ro u p s ‘ Wh a t i f? ’ wo rksh o p s S ce n a ri o a n a l ysi s/sce n a ri o p l a n n i n g /h o ri z o n Asse ssm e n t Re sp o n se ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ sca n n i n g H a za rd a n d o p e b i l i ty stu d y (H AZ O Ps) PE S T (Po l i ti ca l , E co n o m i c, S o ci o l o g i ca l , ✓ ✓ ✓ ✓ ✓ ✓ Te ch n o l o g i ca l ) a n a l ysi s S WO T (S tre n g th s, We a kn e sse s, O p p o rtu n i ti e s a n d Th re a ts) a n a l ysi s ✓ ✓ ✓ ✓ ✓ S ta ke h o l d e r e n g a g e m e n t/M a tri ce s Ri sk re g i ste r/D a ta b a se Pro j e ct p ro f l e m o d e l (PPM ) Ri sk ta xo n o m y G a p a n a l ysi s: Pa re to a n a l ysi s 38 ✓ ✓ ✓ Appendix A Tool Probability and consequence grid/Diagrams (PIDs)/Boston grid CRAMM Identi f cation Assessment ✓ ✓ ✓ ✓ ✓ ✓ ✓ Probability trees Expected value method Risk modelling/Risk simulation (Monte Carlo/Latin Hypercube): ✓ ✓ ✓ Flow charts, process maps and documentation Fault and event tree modelling: Failure Mode Effects Analysis (FMEA) ✓ Stress testing Critical path analysis (CPA) or Critical path method (CPM ) Sensitivity analysis Cash Response f ow analysis Portfolio analysis Cost-Bene f t analysis Utility theory Visualization techniques H eat maps, RAG status reports, Waterfall charts, Pro f le graphs, 3D Graphs, Radar charts, Scatter diagrams ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Source: Table A.1 is taken from DC BS 31100 39 Appendix B Comparative table – common elements of quality, environmental and OH&S Systems with PAS 99 Table B.1 Comparative table illustrating the common elements of quality, environmental and OH&S Systems with PAS99: speci f cation of common management systems requirements as a framework for integration Good Governance – Risk Management System 3.1 General requirements ISO 9001 ISO 4001 ISO 8001 ISO/IEC 27001 Requirements of PAS 99 4 4 5 3.2 Policy 4 5 4 4 4 (b ) 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 2 3.3 Planning for risk management Ri sk i d en ti f ca ti o n , a sse ssm e n t a n d co n tro l 7.2 I d e n ti f ca ti o n o f sta ke h o l d e r re q u i re m e n ts 7 Co n ti n g e n cy p l a n n i n g 4 3 O b j e cti ve s a n d m a n a g e m e n t p ro g m m e O rg a n i za ti o n a l stru ctu re , ro l e s, re sp o n si b i l i ti e s, 5 a cco u n ta b i l i ty a n d a u th o ri ty 3.4 Implementation and operation O p e ti o n a l Co n tro l M a n a g i n g re so u rce s 40 4 Appendix B Good Governance – Risk Management System D o cu m e n ta ti o n Co m m u n i ca ti o n ISO 9001 ISO 4001 ISO 8001 ISO/IEC 27001 Requirements of PAS 99 4 4 4 4 4 4 4 5 4 4 4 4 4(c) 4 5 5 5 7.2.3 3.5 Performance assessment M o n i to ri n g a n d m e a su ri n g 7.6 E va l u a ti o n o f co m p l i a n ce 5 I n te rn a l Au d i t 3.6 Improvement 5 5 4 G e n e l 5 An a l ysi s a n d h a n d l i n g o f 4 n o n co n fo rm i ti e s 8 8 3 Re vi e w 6 I n pu t O u u t M a n a g e m e n t re vi e w 7 7.1 6 7.2 6 7.3 – g e n e l Re p o rti n g Note : 4 th i s Ta b l e sh o u l d be ta ken a s a g u i d e on l y, si n ce correspo n d e n ce b e twee n th e cl a u se s co u l d b e i m preci se 41 Appendix C References and further reading Corporate governance codes from around the world: http://www.ecgi.org/codes/all_codes.php Association of British Insurers (ABI) (2008) ABI Research Performance in Corporate Britain , London: ABI Paper – Governance and The Association of Insurance and Risk Managers (AIRMIC), The National Forum for Risk Management in the Public Sector (ALARM) and The Institute of Risk Management (IRM) (2002) A Risk Management Standard, London: AIRMIC/ALARM /IRM Basel Committee on Banking Supervision (1 999) Enhancing Corporate Governance for Banking Organisations, Basel: Basel Committee on Banking Supervision See: http://www.bis.org/bcbs/ Blair, A (2005) ‘Risk and the State’ speech delivered by Rt Hon A Blair at University College London, 26 M ay 2005 Project management — Part 3: Guide to the management of business related project risk, London: British Standards Institution BS 25999-1 :2006, Business continuity management – Part 1: Code of practice , London: BS 6079-3:2000, BS 25999-2:2007, Business continuity management — Part 2: Standards Institution BS 31 00 (DPC) (2008) Institution Specifcation , London: British Code of practice for risk management, London: British Standards BS EN ISO 9000:2005, Quality management systems — Fundamentals and vocabulary, London: British Standards Institution BS EN ISO 9001 :2000, Standards Institution Quality management systems — Requirements, London: British BS EN ISO 4001 :2004, Environmental management systems — Requirements with guidance for use , London: British Standards Institution BS EN ISO 22000:2005, Food safety management systems — Requirements for any organization in the food chain , London: British Standards Institution BS ISO/IEC 27001 :2005; BS 7799-2:2005, Information technology — Security techniques — Information security management systems — Requirements, London: British Standards Institution BS OH SAS 8001 :2007, Occupational health and safety management systems — Requirements, London: British Standards Institution Cadbury, A et al (1 992) Report of the Committee on the Financial Aspects of Corporate Governance, London: Gee and Co Ltd Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004) Enterprise Risk Management — Integrated Framework, Washington, DC: COSO The Federal Reserve Board (2004) ‘Trends in Risk Management and Corporate Governance’ (‘Remarks by Governor Susan Schmidt Bies At the Financial M anagers Society Finance and Accounting Forum for Financial Institutions, Washington, D.C., June 22, 2004’) See: http://www.federalreserve.gov Financial Reporting Council (FRC) (2005) on the Combined Code , London: FRC Internal Control – Revised Guidance for Directors 42 Appendix C Financial Reporting Council (FRC) (2008) London: FRC The Combined Code on Corporate Governance , H illson, D (2007) The Risk Management Universe: London: British Standards Institution A guided tour (2nd edition) (BIP 2036), IMS Risk Solutions (2003a) IMS: Continual Improvement through London: British Standards Institution Auditing (BIP 201 :2003), IMS Risk Solutions (2003b) IMS: Risk Management for Good Governance (BIP 201 2:2003), London: British Standards Institution The Independent Commission on Good Governance in Public Services (2004) The Good Governance Standard for Public Services, London: Off ce for Public Management Ltd and The Chartered Institute of Public Finance and Accountancy International Corporate Governance Network (ICGN) (1 999) Corporate Governance Principles, London: ICGN See: http://www.icgn.org/documents/globalcorpgov.htm Kelly, J M (2004) Institution ICGN Statement on Global IMS: The Excellence Model (BIP 201 0:2004), London: British Standards Focus on the Future of Corporate Governance , London: MORI Murray, R P (2003) IMS: Information Security (BIP 2008:2003), London: British Standards MORI (2003) Institution Nowacki, G (2003) Institution IMS: Customer Satisfaction (BIP 2005:2003), London: British Standards Off ce for Public Management Ltd (OPM) (2007) London: OPM Going Forward with Good Governance , Off ce of Government Commerce, Management of Risk See: http://www.ogc.gov.uk/guidance_management_of_risk.asp Organisation for Economic Co-operation and Development (OECD) (2004a) Principles of Corporate Governance , Paris: OECD See: http://www.oecd.org OECD Organisation for Economic Co-operation and Development (OECD) (2004b) Guidelines on Corporate Governance of State-owned Enterprises – Draft Text, Paris: OECD See: http://www.oecd.org/dataoecd/46/51 /3480321 pdf Comments from Public Consultation on the Draft for Guidelines on Corporate Governance in State Owned Enterprises, Paris: OECD See: http://www.oecd.org PAS 99:2006, Specifcation of common management system requirements as a framework for integration , London: British Standards Institution Robbins, M and Smith, D (2000) Managing Risk for Corporate Governance (PD 6668), Organisation for Economic Co-operation and Development (OECD) (2004c) London: British Standards Institution Social Accountability, New York: Social Accountability International Smith, D and Politowski, R (2007a) IMS: A Framework for integrated management systems Background to PAS 99 and its application (BIP 21 9:2007), London: British Standards SA8000:2001 , Institution Smith, D and Politowski, R (2007b) IMS: Implementing (BIP 21 38:2007), London: British Standards Institution 43 and operating using PAS 99 Appendix C Tu rn b u l l , N et al (1 9 ) Internal Control – Guidance for Directors on the Combined Code , Lo n d o n : Th e I n sti tu te o f Ch a rte re d Acco u n ta n ts i n E n g l a n d & Wa l e s Ava i l a b l e a t: h ttp : //www i ca e w co m U n i te d S ta te s o f Am e ri ca (2 02 ) S a rb a n e s-O xl e y Act o f 0 Ava i l a b l e a t: h ttp : //www se c g o v/a b o u t/l a ws/so a 02 p d f S e e a l so : h ttp : //www se c g o v/sp o tl i g h t/sa rb a n e s-o xl e y h tm 44