Frameworks for governance, risk and compliance

Question 1

8 examples of risk-man-related governance and compliance issues

Answer 1

• not following H&S procedures
• fraud and theft of company assets
• diversity and discrimination issues
• not reporting serious risk events
• hiding control weaknesses
• sharing personal access passwords
• not declaring CoIs
• accepting a bribe

Question 2

In what way are risk-man, governance and compliance inseperable? (2)

Answer 2

It is impossible to have effective risk-man without appropriate governance and compliance frameworks

Effective governance and compliance relies on risk-man processes, tools and techniques

Question 3

2 primary roles of risk-man policies and procedures

Answer 3

Risk-man decisions and activities of all employees are consistent and appropriate in terms of:
- an org’s objectives
- legal and regulatory obligations

Question 4

To support effective governance and compliance, the implementation of risk-management policies and procedures require the following:

Answer 4

• an explanation of why they are needed
• the organisation’s risk-management principles in a risk-management policy
• clear and unambiguous roles and responsibilities
• board and senior management support
• sanctions for non-compliance
• communication and training
• regular reviews and updates

Question 5

4 examples of risk-man principles

Answer 5

• Protecting environment
• Protecting stakeholders from physical harm
• Regulatory compliance
• Excellent customer service

Question 6

Re. risk appetite, from a governance and compliance perspective, employees should understand:

Answer 6

• risks that may be taken, and limits to level of risk exposure
• risks that should not be taken where practicable
• management roles and committees that have authority to waive limits or take risks beyond appetite

Question 7

Compliance-man frameworks are necessary to ensure:

Answer 7

Compliance with:
- an org’s internal policies and procedures
- applicable laws and regulations
- standard, guidelines and codes of conduct that an org has chosen to comply with, such as ISO 31000

Question 8

An org’s compliance standards are a combo of: (2)

Answer 8

• Imposed standards via laws and regulation
• Self-imposed standards imposed by org to meet objectives and stakeholder needs

Question 9

What is the ALARP principle>

Answer 9

‘as low as reasonably practical’

UK H&S law and some other regimes allow orgs to weigh up hazards against time and money required to control them

Question 10

When might an org take the stance that some non-compliance is ok (provided it is reported and explained)?

Answer 10

Where costs of compliance exceed the benefits

Question 11

Three processes and controls required to ensure agreed compliance standards are enforced:

Answer 11

• Comp-man policies and procedures
• Compliance reporting and escalation processes
• Compliance training and communication

Question 12

Comp-man policy should contain: (4)

Answer 12

• Expected standards and principles
• Links to com-man procedures
• Reporting and escalation arrangements
• Roles and responsibilities

Question 13

Common comp-man principles (4)

Answer 13

• Expectation to act with honesty and integrity
• Managing comp risks in order to preserve reputation and financial resources
• Decision makers own their own compliance risks, despite board being ultimately responsible
• Adequate monitoring and reporting of non-compliance to management

Question 14

Comp-man procedures may relate to: (6)

Answer 14

• Reporting and escalation
• Testing effectiveness of controls
• Dealing with regulatory enquiries
• Investigating unauthorised non-compliance
• Disciplinary procedures for unauthorised non-compliance
• Procedures for allowing non-compliance on cost-benefit grounds

Question 15

Common form of compliance reporting

Answer 15

A periodical review of compliance, normally prepared by CoSec and reported to board

Question 16

When do escalation processes come into play?

Answer 16

When ineffective controls are detected or where employees or managers are not behaving in an appropriate manner

Question 17

To whom should non-compliance be escalated?

Answer 17

The appropriate level of management:

• being the board if non-compliance threatens the whole org
• being a line manager if the non-compliance is less serious, such as minor H&S breach

Question 18

3 aspects of compliance training and communication

Answer 18

• External training if necessary (likely such as H&S)
• In-house training where sufficient
• Compliance-oriented communication such as through emails and memos to supplement formal training

Question 19

Compliance management and internal control (2)

Answer 19

Two terms sometimes used interchangeably, or one is viewed as part of the other, etc.

If separate functions in an org, co-ordination is required to avoid completion of similar activities

Question 20

What is risk-based compliance?

Answer 20

Based on principle that activities or decisions that have a higher degree of comp-risk should receive more comp-man resources

Question 21

Risk0based compliance requires:

Answer 21

An assessment of comp-risk through identification and evaluation of probability and impact (exposure)

Question 22

Responsibilities for comp-man will fall onto: (4)

Answer 22

• Compliance function
• Board and risk and audit committees
• CoSec and gov professionals
• Other business areas

Question 23

Who might fulfil role of compliance function in a small org that does not have dedicated function? (2)

Answer 23

• Nominated manager (such as CoSec)
  or
• External compliance services provider if outsourced

Question 24

Normal responsibilities for compliance function: (6)

Answer 24

• Keeping up to date with legal and regulatory changes and informing management
• Communicated with legal, regulatory and supervisory agencies
• Monitoring effectiveness of comp procedures and controls
• Compliance monitoring reporting to management and board
• Working with managers and business functions to ensure quick rectification of any non-compliance
• Co-ordinating compliance-related training and communication

Question 25

Role of board and risk and audit committees on comp-management (4)

Answer 25

- Board is accountable for effectiveness of comp-man activities - Assurance should be provided to board through comp-man reviews and reports of serious non-compliance - Risk and audit committees will support work of the board on comp-man, including overseeing actions taken to address weaknesses or non-compliance - Comp-man policy should be reviewed and approved by board and risk and audit committee

Question 26

Role of CoSec and gov professionals on comp-management (2)

Answer 26

- Work with compliance function to ensure board has assurance information required to determine if compliance arrangements are appropriate - Potential for direct responsibility in smaller orgs

Question 27

Re. comp-man - In other business areas, managers will have responsibilities to ensure all employees are compliant, including:

Answer 27

- Monitoring effectiveness of local compliance procedures and controls - Taking steps to address non-compliance - Escalating concerns to more senior management and the compliance function

Question 28

3 formal governance structures risk-man, common in larger organisations:

Answer 28

- Three lines of defence approach - Three lines model - Five lines of assurance

Question 29

Most of which type of organisation employ the three lines of defence approach to risk-man governance

Answer 29

Financial services

Question 30

Three lines of defence approach to risk-man governance, with short description of responsibility, and what they must ensure

Answer 30

1st Line: Operational management - Front-line decision-makers who take and control risk - Must ensure decisions are consistent with strategic and risk-man objectives 2nd Line: Risk management - Responsible for design and implementation of risk-man framework and for risk reporting to management and board - Must ensure business managers follow framework and make risk-man decisions consistent with org's objectives 3rd Line: Internal audit - Provide assurance to management and board that the risk-man framework is operating effectively - Must ensure any weaknesses in design or implementation of risk-man are detected and corrected

Question 31

Three lines of defence approach is based on which classic governance control?

Answer 31

Segregation of duties of employees into specific role, to avoid conflicts of interest

Question 32

Caveat of segregation of three roles in three lines of defence approach

Answer 32

Individuals performing role need not be physically segregated, and will at times need to work together and be open and honest => therefore a need to understand each other and value all three roles

Question 33

What is the IIA?

Answer 33

Institute of Internal Auditors

Question 34

2 major criticisms of three lines of defence approach which led to proposition of three lines model by the IIA:

Answer 34

- The term defence implies a negative, threat-focused perspective on risk, inconsistent with notion that risk can bring opportunities and threats - Segregation of roles does not support efficient working together of staff fulfilling these roles as it prevents effective working together and building of trust

Question 35

7 core principles of the three lines approach to risk-man governance

Answer 35

- Governance requires structures and processes that enable accountability - The governing body is accountable for effective governance, but must delegate much of day-to-day responsibilities - Management spans first and second lines, which can be blended or separated - First line role involves delivery of products and services and management of associated risks - Second lines assists first line in management of risk, and includes specialists (in risk, compliance and governance) - Third line provides independent and objective assurance on adequacy and effectiveness of governance and risk-man, and must retain independence at all times - All lines must work together to create and protect value for org and its stakeholders

Question 36

Three lines model vs Five lines of assurance

Answer 36

- Could be argued that three lines model supersedes five lines of assurance - Three lines model not yet embedded in orgs, so it is likely that five lines of assurance approach remains in use

Question 37

2 ways in which five lines of assurance differs from three lines of defence

Answer 37

- Word defence is not used (in recognition that risks brings gains as well as losses) - Five lines model more explicit in role of board and an org's execs

Question 38

First three lines of five lines of assurance (which are very similar to three lines approach): & key differential in these roles compared to three lines of defence

Answer 38

- Work units (business units/functions) - Specialist units (risk, compliance, CoSec) - Internal audit Roles have a focus on value-creating risks as well as value-destroying risks

Question 39

4th and 5th lines of five lines of assurance:

Answer 39

- CEO, MD, senior managers - Board of directors

Question 40

Five lines approach - responsibility of CEO (2)

Answer 40

- Building and maintaining a robust risk-man framework - Ensure that most significant value-creating and value-destroying risks are managed

Question 41

Five lines approach - board has ultimate responsibility for (2)

Answer 41

- Ensuring risk-man framework is effective - Ensuring other four lines are performing roles appropriately - Identify, monitoring and controlling the residual risk associated with org's objectives

Question 42

Typical structure for governing risk-man activity within a large group structure

Answer 42

Common to have group risk-man function supported by satellite risk functions that are divisional, country-level or business-unit

Question 43

What is ISO 19600:2014?

Answer 43

The international standard for com-man systems Provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive comp-man system within an org

Question 44

ISO 19600:2014 divides comp-man into which 2 phases?

Answer 44

- Establishment - Implementation

Question 45

ISO 19600:2014 - 5 tasks within establishment phase

Answer 45

1 - Identification of issues 2 - Identification of interested parties, requirements 3 - Determining scope of risk-man system and establishing system 4 - Establishing compliance policy 5 - Adopting good governance principles

Question 46

ISO 19600:2014 - 6 tasks within implementation phase

Answer 46

6 - Identification of compliance obligations and evaluation of compliance risks 7 - Leadership commitment and establishment of other roles and responsibilities 8 - Planning to address comp risks and achieve comp objectives 9 - Operational planning and control of comp risks 10 - Performance evaluation and comp reporting 11 - Managing non-compliance and continuous improvement of framework

Question 47

What is a GRC framework?

Answer 47

A framework which combines governance, risk-man and comp-man activities

Question 48

Benefits of implementing a GRC framework

Answer 48

- Co-ordination and integration of three elements to avoid problems of silo-based management: - Repetition of tasks - Similar reports produced by each element - Recognition of links between elements, reducing chance of undetected exposures or weaknesses

Question 49

Three areas of GRC which are especially common:

Answer 49

- Financial GRC - Information technology GRC - Legal GRC