Are you a company director concerned about your governance and compliance obligations, and unsure how much you have to do to fulfil them?
Managing the obligations
Following the paper trail – How safe is it to rely on those management sign-offs? asks Jon Tyers*
Are you a company director concerned about your governance and compliance obligations, and unsure how much you have to do to fulfil them?
For instance can you rely on information and explanations provided to you by management? How relevant and reliable is the information you are receiving? More to the point how complete is the information?
No doubt the recently issued ASX Corporate Governance Guidelines will increase the paper trail of management sign offs in listed companies, whereby directors are passing accountability down the line, and at the same time trying to obtain a level of assurance regarding compliance and risk management that they are comfortable with.
Face value of sign offs
How risky though, is it for directors to rely on this paper trail for compliance, risk management and financial statement obligations? Are all the sign-offs of real value, and therefore comfort to the board? The answer to that is, only if they are supported by good compliance and risk management processes.
There is no intention here to infer that executive sign-offs are not to be trusted, or that the majority of corporate executives are untrustworthy. If you think of recent corporate collapses however, how many members of senior management chose to alert the board that all was not well?
One of the key issues to consider is whether executives are likely to "tell it the way it is", and recognise that if they are to do so they may be required to abandon self interest for the good of the company. This obviously leads to the question of whether all executives will put the organisation before what they see as their own interests? Those who espouse corporate values and commitment to good governance may like to think that they will, but does this regularly manifest itself in practice?
So, as a board member you may be thinking "Well how much am I expected to do? What would a competent and reasonable director do?" The real problem with sign-offs is that if management is-signing off that compliance obligations are being met, and that risks are being managed effectively, it does not necessarily mean that they actually are.
Asking the right questions
A typical response to this is that if management are signing off when they have not established a sound basis for doing so, then they will be held to account for their actions, but by the time issues of non-compliance become apparent, or risks materialise, it's too late. By implication, the board needs to know how and why management is able to sign-off. There are a few key steps to achieve this:
• ask executives if they are aware of all key compliance obligations of their business, in the sign off questionnaire;
• ask them to list the key pieces of legislation, regulations and internal policies, against which they monitor compliance;
• ask them whether all substantial requirements of these Acts, regulations and policies are embedded in key business processes;
• ask them how they know that these key business processes are operating as documented/intended;
• ask them if staff are regularly trained in business processes and their compliance elements, including induction training for new employees (much of this will be covered by FSR requirements but executives still need to assert that they are meeting their obligations);
• ask the central compliance unit whether the businesses have been made aware of, and trained in, all changes to key compliance requirements;
• ask for impact assessments of all material changes to compliance requirements;
• ensure that a regular independent compliance audit program is in place;
• regularly receive summaries of the results of the compliance audit program;
• regularly review business unit risk assessments and activities in place to mitigate risks;
• importantly, review the progress of action plans to address risk and compliance vulnerabilities on a regular basis; and
• most importantly, ensure that there is clear ownership of key business processes, and accountability for management of risks within those processes, including inter alia continuity, compliance, resources and skills, and processing risks.
Business resistance
It is unlikely that executive management will be falling over themselves in eagerness to embrace all of this. After all they have a business to run, and are likely to see such an exercise as an imposition from head office functions that do not adequately understand their business.
Once implemented however, the above steps can and should have significant benefits for the business. This is the key to getting business stakeholder support, although a director may feel that it should not be necessary to negotiate to get their buy in.
Some of the key benefits to established risk management and compliance processes include:
• greater ownership and accountability for key processes, being those that support the business margin, and are therefore critical to success;
• a better understanding by management of their own business, through regular examination of processes;
• the establishment of a culture of continuous improvement, and good business practice which contributes to a responsible business ethic;
• improved decision making based on increased business knowledge, and risk information;
• avoidance of surprises.
Smart operators in the business know that to have transparency in the management of compliance and operational risks works in their favour, and in addition to reducing the likelihood of an adverse event, it gives credibility to their defence should something go wrong.
Indeed, they hold a privileged position as custodians of shareholders funds. As such they must expect to be accountable, including being able to demonstrate effective risk management.
Costs vs benefits
In order to avoid the imposition of risk management and compliance processes the business often uses the cost/benefit argument. There has also been a lot of press coverage given to the increased costs of compliance recently, particularly in relation to the time boards spend to meet their obligations. In response I would make the following points:
• the bulk of the cost arises in educating the business in risk management, building appropriate frameworks, embedding compliance into business processes, and creating the necessary reporting frameworks. Once established and embedded in business as usual practices however, the overhead can be minimised.
• effective risk management processes encourage responsible use of funds. Amounts in excess of the cost of implementing and maintaining a proper risk management framework can easily be wasted by the business on fruitless activities.
• with robust risk management and compliance processes in place, boards will quite reasonably feel more comfortable about relying on the sign-offs, and will be able to minimise the time spent on meeting compliance and general governance obligations.
* Jon Tyers is an independent risk management consultant. He can be contacted at jbtyers@ozemail.com.au
Disclaimer
The purpose of this database is to provide a full-text record of all articles that have appeared in the CDJ since February 1997. It is aimed to assist in the research and reference process. The database has a full-text index and will enable articles to be easily retrieved.It should be noted that information contained in this database is in pre-publication format only - IT IS NOT THE FINAL PRINTED VERSION OF THE CDJ - therefore there might be slight discrepancies between the contents of this database and the printed CDJ.
Latest news
Already a member?
Login to view this content