Establishing the
Governance Strategy
of the Audit Committee
Identifying the performance drivers within the organisation’s intangible assets – Human
Capital, Information Capital and Organisation Capital - to optimise the contribution of the
role of the Audit Committee to the financial governance of the enterprise.
PHILIP A F MARSHALL C.A. F.C.A
July 14th 2011
THE AUDIT COMMITTEE’S GOVERNANCE STRATEGY MAP
NO
TOPIC
I
Developing the strategic direction of the organisation
4
II
Strategic Control Assurance Plan
III
Business Process Management Best Practices
17
IV
Culture and Context – Organisational Capital
27
10
2
Developing the strategic direction of the
organisation and establishing its long
term goals and objectives.
The governance role of the Board and
Audit Committee
3
ROLE OF THE BOARD/MANAGEMENT - REVIEW AND APPROVAL PROCESS - STRATEGIC DECISION-MAKING
Strategic Thinking
Collecting, analyzing, and discussing
information about the environment of the
organisation, the nature of competition, and
broad strategy design alternatives – different
views of customer value proposition, scope,
Role of the Board
• Be an active participant in the strategic
thinking process.
• Bring an outside perspective
• Test the consistency of management’s
thinking.
• Collaborate with management.
competitive advantage, and source of profit.
Strategic Decision-making
Making the fundamental set of decisions about
the business portfolio and business strategy
design.
Strategic Planning
Translating the critical strategic decisions into a
set of priorities, objectives, and resource
allocation actions to execute the strategy.
Copyright : Mercer Delta Consulting
Role of the Board
• Provide input for management’s
decision making.
• Provide ultimate review and approval
on major decisions (resource
allocation, initiatives, portfolio changes)
Role of the Board
• Review core strategic plans presented
by management.
• Ensure understanding of the plans and
their potential risks & consequences.
• Comment and make suggestions on
plans, as appropriate.
• Approve plans.
Role Of Management
• Initiate the process of strategic thinking.
• Set the agenda- pose the questions
and issues.
• Provide meaningful information.
• Actively participate with the Board in
the discussions.
• Summarize the output of Board and
management working together.
Role Of Management
• Make critical decisions
• Develop proposals to the Board for critical
directional decisions and major resource
allocation.
• Engage with the Board in its review of
decisions.
Role Of Management
• Develop plans, working with staff support and
operating management.
• Review plans to ensure consistency with
corporate objectives and the enterprise-wide
risk management process
• Present plans to the Board for review.
4
STRATEGY MAPS – LEARNING & GROWTH PERSPECTIVE
How do we create value
from intangible assets?
Maximize the long term
total return to shareholders
Productivity Strategy
Risk Management
Revenue Growth Strategy
Financial
Perspective
Improve
Cost Structure
Expand
Revenue
Sources
Increase
Asset Utilisation
Enhance
Customer
Value
Customer Value Proposition
Customer
Perspective
Price
Quality
Availability
Selection
Functionality
Service
Product /Service Attributes
Process
Perspective
Partnership
Relationship
Brand
Image
Operations Management
Processes
Customer Management
Processes
Marketing & Sales
Processes
Enterprise Risk
Mgmt Processes
Processes that acquire and
distribute products and services
and integrate the supply chain
outputs
Processes that enhance customer
value and are designed to manage
the customer experience
Processes that identify
unmet market needs and differentiate
with innovative product/services
concepts
Processes that identify
enterprise risks and
proactively manage the
potential risk events
Learning & Growth
Perspective
Creating Alignment with Strategy
Human Capital
Intangible
Assets
• Values
• Skills
• Competencies
Creating Readiness for Change
Information Capital
+
• Applications
• Databases – BI: KM
• Systems / Networks/ Channels
• Business Process Assets
Organisational Capital
+
• Culture
• Leadership
• Knowledge Sharing
• Teamwork
Readiness for change - Align the Intangible Assets of an organisation’s with the strategic direction
Governance
Role of the
Audit
Committee ?
1
Imbibe Values – performance and customer focus , teamwork: Create climate for action through alignment and empowerment.
2
Continuously build individual and organisation Competencies; Integrate IT in all business processes.
:P.MARSHALL
pafm: Adapted
Adapted
from Balanced
from Balanced
Scorecard
Scorecard
Collaborative
Collaborative
Inc. Inc.
5
Audit Committee Governance Strategy Map clarifies the
areas of focus of the Audit Committee in contributing to
the role of the Board
STRATEGY MAP - BOARD GOVERNANCE
Board Governance Performance
● Effectiveness and efficiency of operations.
● Reliability of financial reporting.
● Compliance with applicable laws/regulations.
Strategic Governance Outcomes
Sustainability
Enterprise
Contribution
Increase Value Reported
Increase Profitability
and Dividend Potential
 Monitoring, and reporting
Outcome indicators
 Strategic Alignment
Strategy Management
Reputation & Trust
Stakeholders
Communications
 Risk Management
Talent Retention.
Effective succession .
Enterprise Capability
.
Increased
Value to
Shareholders
Reliability in Financial Reporting
and Value Created Reporting’
and ROI on Capital Spend
Financial Oversight
• Strengthened Staff and
Management capability.
• Clearly defined performance
accountabilities
Executive and Staff Oversight
Reputation, trust,
and transparency.
Ethics institutionalised
in the environment
Enterprise Risk Mgmt
Performance Management
 BSCD Measurement
 Assess Performance Drivers
Financial Governance
 Covenants to Lenders
 Compliance
Governance Processes re
Staff Performance on
mutually determined
Strategic objectives
Institutionalised
Risk, Internal Control
and Integrity
frameworks
Strategy options based on
potential opportunities and
risk appetite exposure
Intangible Assets Value Drivers
Industry/Customer Segments
 Process Competencies
 Knowledge Management
 Executive Succession Plans
 Workforce acquisition
and staffing plans
Ensure disclosures on
residual risk are clear and
and reliable
Resource allocation based
on the entity’s Value
Chain activities
,
Communications excellence.
Ensure a teamwork culture and
knowledge sharing
Information Security
Management
Good communications & teamwork
across Board Committees and
in dialogue with top management
Risk Management Leadership
Risk Management Structure
Ethics & Integrity frameworks
Ensure readiness for
change and ability to execute
Organisation capabilities:
 Strategic profit management
 Knowledge Management
 Design of Management Process
Information for Strategic Decision
Making and Value reporting
Adaptation Messrs Kaplan and Norton - BSCD Governance Strategy Map
6
THE VALUE BASED VIEW OF STRATEGIC MANAGEMENT
VALUE ASSESSMENT
Spread v. invested capital , by product
Issue: Where are we creating value?
Output: Growth and return priorities
VALUE REPORTING
VALUE DRIVER ANALYSIS
Growth
Scorecard
Industry
growth
Share of
market
Economic
Operating
margin
profit
Returns
Asset
intensity
Capital
structure
Issue: How can we better communicate our
performance internally and externally?
Output: Scorecard that tracks where and how
value is being created on an ongoing basis
Issue: How are we creating value?
Output: Operational initiatives to increase
value
MANAGEMENT PROCESS RESIGN
Planning
Budgeting
Value goals
Performance
reward
Performance
monitoring
Issue: How can our management processes
support value objectives?
Output: Ability to identify, fund, track, and
reward value-creating initiatives
Copyright © 2002 by American Institute of Certified Public Accountants, Inc.
7
Learning and Growth Perspective - Human Capital
How much effect do you believe human capital has on each of the following business outcomes?
% of survey participants responding to the above with HCM “large effect “ or “critical factor”
92%
Customer Satisfaction
82%
Profitability
Innovation/ Product Development
72%
Merger Acquisition Success
71%
Revenue Per Employee
68%
Speed to Market
66%
Growth
64%
CFO Research Services on effect of Human Capital on Business Outcomes
Source: CFO Research Services
8
THE BIG PICTURE OF ORGANISATIONAL PERFORMANCE
MANDATED BOUNDARY
OPPORTUNITIES
BUSINESS MODEL
strategy, people, process, technology,
and Infrastructure in place to drive
towards objectives
OPPORTUNITIES
OPPORTUNITIES
OBSTACLES & THREATS
boundary established by external forces incl.
laws, government regulation & other mandates
OBJECTIVES
strategic, operational,
customer, process,
compliance objectives
VOLUNTARY BOUNDARY
boundary defined by management incl. public commitments,
organisational values, contractual obligations & other voluntary policies
A Pathway to Principled Performance®: The OCEG Framework
9
OCEG 2007
Rise of Principled Performance - Defining the Boundaries of Conduct
9
Strategic Control Assurance Plan
STRATEGIC CONTROL
ASSURANCE PLAN
10
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Corporate governance is an
organisation’s strategic response to risk
The Board is responsible for the organisation’s overall control framework that complements the
strategic and operational planning process. This responsibility is discharged by setting
appropriate risk and control policies, and by seeking regular assurance regarding the
effectiveness of the control environment.
Control assurance
operates through the five
Control Elements as follows
• Planning
• Board
• Organisation
• Management assurance
• Independent assurance
2
3
The Board
Organisation
1
STRATEGIC CONTROL
ASSURANCE PLAN
5
Independent
Assurance
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
INFORMATION SYSTEMS
4
4
Management
Assurance
11
The Strategic Direction Plan is framed by four Control Elements
The Board
2
The Board as the shareholder representative has responsibility
and accountability for organisational performance to key
stakeholders. As well as its oversight role in ensuring
Adherence to established policies and the strategic direction
it has a tactical role in maintaining a watching brief over the
External and internal environments and organisational
Performance through the Executive Director, and
obtaining balanced assurance over the control
environment from management and Independent sources.
Organisation
3
The Organisation includes the Executive Director , senior
managers and staff , and delivers organisational outputs in
line with the planned corporate outcomes. This control
element provides the opportunity to exercise a high degree
control through sound HR and ethical practices in an
environment of open communication. Monitoring and
performance review in this control element make significant
contributions to the Board’s strategy-management
responsibilities .
1
STRATEGIC CONTROL
ASSURANCE PLAN
INFORMATION SYSTEMS
5
Independent Assurance
Independent Assurance presents the Board with objective
information on the control environment through independent
bodies such as external and internal audit, and audit
committees. This control element provides a check and
Management Assurance
4
Management Assurance provides the Board with assurance
through management monitoring, reviewing and reporting of
organisational performance against stated objectives and
compliance against laws, regulations, policies, procedures,
balance for the outputs of the Management Assurance
etc. Management teams or committees may be established
control element. When the Board receives positive feedback
to assist in this process.
on the control environment from these independent bodies it
can have confidence in the assurance received from
Management.
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
12
Goals and objectives–The focus of the Controls Assurance Plan
An understanding of the relationship between corporate governance, risk management, controls and strategies is
fundamental to the successful implementation of the proposed Controls Assurance Plan. This relationship may be
summarised as follows
1
Corporate governance is a guidance system for the achievement of planned objectives–it is an objectives-focused
concept.
2
Management of risk is part of each objective at all levels of the organisation.
3
Risk management develops risk treatment plans that are at the same time the controls and strategies associated
with achieving each objective.
4
The meaning of control is broader than internal financial control and is expanded to include all planning and
strategies put in place after the corporate objectives have been set.
Transparency and probity are part of this control environment.
5
The control environment provides reasonable assurance to Boards and senior managers that the organisational
objectives will be achieved within an acceptable degree of residual risk.
6
Corporate governance is an organisation’s strategic response to risk
7
Reporting against performance measures for each objective is also a report on the effectiveness of strategies,
controls and the risk management process for that objective. Risk management reporting is therefore part of
performance reporting and not a separate exercise. Effective risk management is therefore the cornerstone of
sound governance.
13
Copyright : Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Control Assurance Plan - Information Systems
Key Roles and Accountability – Governance Risk and Compliance Systems
Who should drive integration? What should it look like? To realize a high-performing GRC system,
several key players must be actively involved in the design, implementation, & management of the
system.
The Role of the Board
The Board has oversight of the system and ultimately is the primary beneficiary of it, since a strong
GRC system enables the flow of accurate information necessary to effective governance. The Board
must be an active monitor for shareholder and stakeholder benefit and must :
 Direct the purpose and desired outcomes of the system
 Set a charter for its involvement in the system
 Vet business objectives and ensure they are congruent with values & risks
 Be knowledgeable about the design and operation of the system
 Obtain regular assurance that the system is effective
 Gain reasonable assurance that management’s representations are sound
 Operate aspects of the system that require Board perspective and
independence (eg overseeing senior management’s override of control activities)
A Pathway to Principled Performance®: The OCEG Framework
14
Control Assurance Plan - Information Systems
Key Roles and Accountability
The Role of Management
Management must undertake strategic planning and implementation of the GRC system. Taken as a
whole, management must:
 Design, implement and operate an effective system or some aspect of a system
 Provide regular assurance about the effectiveness of the system
 Communicate with key stakeholders about the effectiveness of the system
 Evaluate and optimize the performance of the system
The Role of Assurance
Management should obtain and provide regular assurance about the effectiveness and performance
of the GRC system. An independent review can open up a view of the system that reveals not only
weaknesses in design or operation, but also opportunities for further integration and exchange of
best practices from one area of the organization to another.
A Pathway to Principled Performance®: The OCEG Framework
15
Control Assurance Plan - Information Systems
Key Roles and Accountability
The Role of Assurance (cont’d)
For its part, the Board is required to obtain regular assurance about the effectiveness of the system
and should use information developed independently of management to form impressions of the
system’s effectiveness. Independent review is required. For purposes of reviewing a GRC system
internal personnel are ‘independent’ if they are independent of the underlying activity on which they
provide assurance.
Assurance personnel, whether internal or external, should:
 Provide assurance that risks are appropriately identified, evaluated, managed and monitored
 Provide regular assurance to the Board and Management that the GRC system or some aspect
of it is effectively designed to address identified risks and requirements in light of the
organization’s culture and objectives
 Provide regular assurance to the Board and Management that the system or some aspect of it is
effectively operating as designed.
A Pathway to Principled Performance®: The OCEG Framework
16
Learning and Growth Perspective - Information Capital
Business Process Management Best
Practices
Source : Denise Bedford Information Quality
17
Learning and Growth Perspective - Information Capital
Governance, Risk Management & Compliance Process Integration
There are many reasons an organisation seeks to integrate and align its governance, risk and
compliance efforts into a GRC system
1 The cost of complying with an increasingly complex, voluminous and ever-changing patchwork
of legal mandates is always rising.
2
3
There is a lack of visibility into not only operational issues, but also risk and compliance
activities.
There is unnecessary complexity and duplication of effort taking place to address risks and
requirements as numerous processes and controls are buried in isolated silos.
4
The Board and senior management face increased accountability and liability.
5
There is redundancy in some areas and possible gaps in coverage for critical risks in others.
6
The cost of maintaining duplicate set of information for different purposes and reconciling
information when necessary is high.
A Pathway to Principled Performance®: The OCEG Framework
18
Learning and Growth Perspective - Information Capital
Governance, Risk Management & Compliance Process Integration
Apart from the main governance, risk, compliance processes, other functional and process areas,
that comprise a holistic governance model include.
 Governance
 Information Technology
 Risk Management
 Business Ethics
 Compliance
 Quality Management
 Strategy and Business
Performance Management
 Sustainability & Corporate Social Responsibility
 Internal Control
 Human Capital and Culture
 Corporate Security
 Audit and Assurance
 Legal
 Finance
Within the context of an integrated GRC system, the individual functions share a mutuality of interest,
a common need for information and contribution to the organisation’s efforts to achieve Principled
Performance.
A Pathway to Principled Performance®: The OCEG Framework
19
Learning and Growth Perspective - Information Capital
Designing a Business Architecture
• In order to align technology with business, we need to design a
business architecture
• Business architecture includes:
– Business framework to which all business definitions and models
can be mapped
– Business process management best practices for representing
business processes which are manageable by business analysts,
understandable to business managers and executable by
developers
20
Learning and Growth Perspective - Information Capital
Current State – Business Framework
•
Organisations themselves may not have a comprehensive view of the entity’s
business, although there is a wealth of business knowledge and documentation
– Current business definitions may be constrained to what single organizational
units do and how they do it
– May be variations on a process across the organization
– Formal policies and procedures may not fully describe how work is done
– May be gaps in coverage of some business processes
– May be redundant descriptions of the same process which are not consistently
maintained
– May represent a technology view rather than a human workflow view
– May not describe all of the resources that are required to support a business
process
21
Learning and Growth Perspective - Information Capital
Business Process Management Best Practices
•
Business process management recommends that we:
– Define internal best practices and guidelines to ensure that business process
models are consistently developed (ARIS Framework)
– Develop business models for processes, and inventory, register and publish
existing business models (Business Analysts & Stewards working with IQ and
IS teams)
– Recommend standards-based modeling and execution languages to be used by
developers for implementing business process models
– Build a business architecture layer as part of enterprise architecture
– Establish an enterprise governance process for business process management
22
Learning and Growth Perspective - Information Capital
Business Process Models
•
A business process should be represented as models of end-to-end sequence of
tasks or sub-processes, which describe all of the inputs, outputs and steps/activities
required to execute the process
•
ARIS framework provides us with a comprehensive view of a business process
description
•
Working within the business framework, and leveraging the ARIS business
processing modeling strategy, we can both harmonize across the organization and
standardize our current business knowledge
23
Business Process Description
Information
Services
Information
Services
Strategic Goal
Other
Services
Other
Services
Data
Material Input
Material Input
Financial
Resources
Financial
Resources
Business Process
Initial Event
Message
Org
Unit
Human
Input/Output
Steps & Sub-processes
Technology
Resources
Result/Event
Infrastructure
Architecture Information Systems Framework -Robust description of a business process includes all elements of the framework.
Application
Software
24
Learning and Growth Perspective - Information Capital
Business Process Models
To design a successful performance intervention, an organization must have a basic
understanding of
• The process’ inputs, steps, outputs; and the measures and standards for all three
• The individuals who will be performing in that process
• What specific performance is required/desired- and what the current level of level of
performance is
• Exactly what knowledge and skills are required to perform
• The strengths and weaknesses of any current Training & Development
• The environmental (non-human) enablers required to perform
• The strengths and weaknesses of any current environmental (non-human) enablers
25
Learning and Growth Perspective - Information Capital
Business Framework and Business Process Management
•
Looking back to the value proposition, we need a level of business process
description which will allow us to:
– connect any system associated with the process
– identify the people who support it
– link financial resources
– acknowledge but also cross organizational boundaries
– identify compliance (financial, records) points
– identify data and information quality control points
– Identify common steps and sub-processes to simplify and reuse applications
– provide managers with the capability to monitor the process for improvement
and planning purposes
26
Learning and Growth Perspective - Organisation Capital
Overview of
Culture & Context
27
Learning and Growth Perspective - Organisation Capital
C1 EXTERNAL BUSINESS CONTEXT
Understand and, when necessary, influence the external business context in which the
organization operates.
Principles
01
Understanding the ever-changing external context is critical to designing a GRC system that is
resilient to change and can evolve with it.
02
Some aspects of the external context will change despite the organization’s best efforts to
maintain the status quo.
03
Certain aspects of external context can, and in some cases should, be influenced by the
organization.
04
The organization should recognize that there are external influencers, such as the media or
community groups who can shape stakeholder opinion.
OCEG® Open Compliance & Ethics Group ®
28
Learning and Growth Perspective - Organisation Capital
C2 INTERNAL BUSINESS CONTEXT
Understand the existing people, processes, technology, organizational structure,
stakeholders and key assets that drive organizational value.
Principles
01
Internal context analysis should focus on key aspects that drive organizational value.
02
The organization should design a GRC system that aligns with the internal context.
03
The organization should use the GRC system to identify and change certain aspects of the
internal context to better support organizational objectives.
04
Some aspects of the internal context will change despite the organization’s best efforts to
maintain the status quo, thus the GRC system must identify triggers that will require or
cause it to evolve.
OCEG® Open Compliance & Ethics Group ®
29
Learning and Growth Perspective - Organisation Capital
C3 CULTURE
Understand the existing culture including the organizational climate and individual
mindsets about integrity, compliance, risk, and approach to management.
Principles
01
Leadership should set the tone at the top and provide consistent and repeated commitment
to integrity in both words and deeds.
02
Individuals must be convinced that leadership is genuine about its commitment to values or
they will not have any regard for the established values.
03
The GRC system can, and in some instances should, change certain aspects of the culture.
04
Some aspects of the culture will change despite the organization’s best efforts to maintain the
status quo, thus the GRC system must have triggers that will tell it when to evolve to respond
to cultural changes.
OCEG® Open Compliance & Ethics Group ®
30
Learning and Growth Perspective - Organisation Capital
C4 VALUES & OBJECTIVES
Define what the organization wants to achieve and the values for which it stands.
Principles
01
Without the leadership to support clearly and regularly articulated mission, vision and values,
the organization will operate on the values defined, ad hoc, by work groups or individuals
according to their own beliefs and interests.
02
Values will vary for every organization - that said, values must include adherence to legal
mandates and general principles of integrity and ethical conduct.
03
Whether the organization authorizes the Board or management, with Board approval, to set
objectives, the Board must oversee management’s continual efforts to meet the established
objectives.
04
Align objectives to stated values.
OCEG® Open Compliance & Ethics Group ®
31
Learning and Growth Perspective - Organisation Capital
MAJOR STRATEGIC OBJECTIVE
Institutionalise Customer Focus Leadership Development Programs
RELATED ORGANISATION OBJECTIVES A
B
C
D
MEASURES
Leadership
•
Build a cadre of leaders who can
leverage human capital for
competitive advantage. They deploy
through direct coaching/mentoring
of staff, the “customer engagement
models” that drive the customer
satisfaction/ lifetime relationship
value proposition .
• % participation in customer focus
Culture/ Strategy Awareness
•
Create an organisation that
internalises the shared vision,
strategy, and cultural values
required to execute on the staff
interaction behaviours that deliver
the ‘customer experience’ outcomes
• Culture assessment
Alignment
•
Create an organisation where
personal goals and incentives are
aligned with customer focus and
loyalty strategy; and one that
encourages personal contribution
• % receiving incentive
Teamwork
•
Create teamwork and a culture to
encourage the sharing of knowledge
and experience needed by the
Customer Focus strategy
% internal vs. external hires
leadership programs
TARGETS
STRATEGIC INITIATIVES

Vision Awareness Program

Accountable for strategy

Strategy linked to budgets &
operations
% employees regularly surveyed
Personal goals linked to BSC (%)
compensation
% using knowledge sharing
channels
Messrs Kaplan and Norton - BSCD Collaborative

Improve key deficiencies

Formal information sharing
program

Mentoring Program

Employee survey

Alignment of HR Bus.

Balanced Scorecard

Cascaded Scorecards

Incentive Compensation

Key Staff Retention

Cross-Functional Teams

Shared Rewards
32
PHILIP A F MARSHALL C.A. F.C.A
ACKNOWLEDGEMENTS
© OCEG 2009
President, Open Compliance & Ethics Group OCEG® / Driving Principled Performance ®
Mercer Delta Consulting
Standards AS/NZ HB 254 -2005 Governance Risk Mgmt Control Assurance
Denise Bedford Information Quality
American Institute of Certified Public Accountants, Inc.
Messrs Kaplan and Norton - BSCD Collaborative
33