Chapter 8 – Frameworks for governance, risk and compliance Flashcards
Give some examples of risk-management related governance and compliance issues
- Not following health-and-safety procedures
- Taking excessive amount of financial risk
- Non-compliance with expenses policies
- Fraud and the theft of company assets
- Diversity and discrimination issues
- Not reporting serious risk events to SM
- Hiding control weaknesses
- Sharing personal access passwords
- Leaking sensitive data
- Not declaring any conflict of interest
- Accepting a bribe
What should risk-management policies and procedures include from a risk, governance and compliance perspective?
- An explanation of why they are needed – regulatory compliance, protect stakeholders, objectives, etc
- Risk-management principles – often the values of the organisation
- Roles and responsibilities
- Board and senior management support – setting the tone from the top
- Sanctions for non-compliance
- Communication and training
- Regular reviews and updates – at least annually to ensure fit for purpose
What are the components of an effective compliance-management framework?
- compliance with an organisation’s internal policies and procedures;
- compliance with applicable laws and regulations (such as health-and-safety or environmental regulations)
- compliance with standards, guidelines and codes of conduct that the organisation has chosen to comply with, such as ISO 31000.
To ensure that the agreed compliance standards are enforced within an organisation, three processes and controls are required:
1. compliance-management policies, principles and procedures
o Policy should contain: standards and principles that are expected, links to compliance-management procedures, reporting and escalation arrangements and roles and responsibilities
o Common principles include: expectation that all employees will act honesty and with integrity, preserve the reputation of an organisation, everyone is responsible for risk-management
o Procedures can be varied – how to deal with enquiries from regulators, how to investigate cases of non-compliance, procedures for allowing non-compliance on cost-benefit grounds
2. compliance reporting and escalation processes
o Reporting – periodical – remind the board of the various laws and regulations that must be complied with
o Escalation processes – when ineffective controls are detected or where employees are not behaving in an appropriate manner
3. compliance training and communication
o may be provided in-house or by an external training agency
o regular compliance-oriented communication can supplement formal training
What are the roles and responsibilities of the compliance function or company secretary (in smaller organisations)
o Keeping up to date with legal and regulatory changes
o Communication with legal, regulatory and supervisory agencies, such as the HSE
o Monitor the effectiveness of compliance procedures and controls
o Compliance monitoring reporting to management and the board
o Working with all other business functions to ensure that any non-compliance is rectified
o Co-ordinating compliance-related training and communication activities
What is the three lines of defence model?
The three lines of defence model separates the three complementary roles in the governance and operation of a RM framework:
1. **Operational management **- Day-to-day risk-taking, assessment and control
2. Risk management - Oversight of how risks are taken, assessed and controlled
3. **Internal audit **- Assurance that risk-taking, assessment and control activities are operating effectively and the decisions made are consistent with the organisation’s objectives
One caveat is that the segregation of the three roles does not mean that the individuals performing each of the roles should be physically segregated. These individuals need to communicate on a regular basis and will at times need to work together – trust needed
In 2020, the three lines of defence model was modified by the Institute of Internal Auditors (IIA) proposed an alternative ‘three lines model’. This model came about due to two major criticisms:
- The term, defence, implies a negative, threat focused perspective on risk
- By segregating the roles of the first, second and third lines, staff fulfilling these roles may not work together efficiently – segregation can impact personal relations and prevent effective communication and the building of trust
What is the five lines of assurance?
1. Work units, meaning business unit/function/department managers
2. Specialist units, such as the risk function, compliance function and company secretary
3. Internal audit
4. The CEO, managing director and other senior directors and managers
5. The board of directors or trustees
Why is the five lines of assurance a thing?
- The word defence is not used – word defence implies that risk is a bad thing to be defended against
- The five lines make more explicit the role of the board and an organisation’s executive directors in relation to risk-management governance
How is the five lines of assurance mirror the themes in the UK Code?
- Boards are responsible for determining the nature and extent of the principal risks an organisation is willing to take in pursuit of its strategic objectives.
- Boards should maintain sound risk-management and internal-control frameworks.
- Boards should provide entrepreneurial leadership within a framework of prudent and effective controls that enable risk to be assessed and managed.
- NEDs should satisfy themselves that financial controls and an organisation’s wider risk-management framework are robust and defensible.
- Where appropriate, to set up a board-delegated audit committee that reviews internal financial controls. Unless a risk committee is present, the audit committee also reviews the organisation’s internal controls and risk management framework.
What is ISO 19600:2014?
ISO 19600:2014 is the international standard for compliance-management systems. The standard provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organisation.
The standard offers a continuous improvement framework for compliance management that is based on the management-improvement philosophy of ‘plan-do-check-act’.
What is a GRC framework?
Larger organisations, especially those in highly regulated sectors like financial services, may implement management frameworks that combine governance, risk-management and compliance-management activities. These are known as GRC frameworks.
What is the rationale for GRC?
Governance, risk-management and compliance management are inter-related sub-elements of an organisation’s wider management framework. Where these elements are not co-ordinated or integrated in an effective manner, the problem of silo-based management may occur. With a silo approach, tasks may be repeated, reducing efficiency.
What is a GRC information system?
GRC information management systems are used to help co-ordinate and integrate an organisation’s governance, risk and compliance-management activities.
GRC systems often consist of the following elements:
* A repository of all relevant policies and procedures
* A library of the governance, risk and compliance controls used across the organisation
* Governance, risk and compliance metrics
* The results of risk assessments
* Incident management
