SlideShare uma empresa Scribd logo

Beyond Compliance

M
mikaelastafrace

This document provides an overview of compliance and risk management concepts. It discusses compliance as the minimum legal standard and the importance of also implementing good risk management practices. The document outlines the six main phases of the compliance process: understand legal obligations, create an obligations register, assess compliance risks, manage obligations, monitor and evaluate compliance, and communicate and report. It also discusses establishing the context for risk management, identifying risks, analyzing and evaluating risks, treating risks, and monitoring and reviewing the risk management process. The case study examples demonstrate how these concepts apply to specific compliance scenarios.

1 de 33
Beyond Compliance Mikaela Reynoldson Partner, Moray & Agnew
Today’s session • Group introductions • Introduction to Compliance • Introduction to Risk Management Case Study • Conclusion TREATMENT & CONTROLS ANALYSE & EVALUATE IDENTIFY RISKS CONTEXT SETTING CASESTUDY
Presenter Mikaela Reynoldson – Partner, Moray & Agnew
Group discussion What is compliance?
The OH&S problem
Commonwealth Bank of Australia pays $100,000 fine for breach of continuous disclosure law • On 16 December 2008 as the Commonwealth Bank of Australia (CBA) was attempting to close a AU$2 billion capital raising it received updated information about its impairment expenses. The issue was abandoned and CBA blamed its adviser for telling potential investors of the impairment expense before the rest of the market. • The Australian Securities and Investments Commission (ASIC) issued an infringement notice to CBA alleging it had failed to notify the Australian Securities Exchange (ASX) after becoming aware of information about its expected loan impairment expense (LIE) to gross loans and acceptances ratio for the financial year ending 30 June 2009. Source: Australian Regulatory Compliance Review, Nov 09 (article first reported on Complinet)
Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Reporting Com m unication Assurance Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Reporting Com m unication Assurance Compliance Management Operating Procedure Compliance Management Operating Procedure Compliance Software Compliance Management Policy Compliance Management Operating Procedure Requirements Register Obligations Register Entity Component: Compliance structure
1. Understand the Legal and Regulatory Environment • Understand the business environment • Understand and manage relationships with legislators, regulators and government • Determine categories of compliance and maintain the compliance risk universe 2. Create and Maintain the Obligations Register • Identify compliance requirements/obligations • Prioritise requirements • Identify and manage changes to requirements and obligations Analyse Compliance Risks • Likelihood, consequence and controls Evaluate Compliance Risks • Determine treatment based on analysis 5.MonitorandEvaluation •Performancemeasuresandmetrics •AssuranceActivities •ComplaintsHandling •ContinuousImprovement 6.Communications&Reporting •Communication •Training&Education •InternalandExternalReporting 4. Manage Obligations • Annual compliance plans • Breach reporting and management • Records management • Project management • Third parties 3. Compliance Risk Assessment Identify Compliance Risks Six main phases of the compliance process
Compliance risk universe Compliance Risk Universe Competitive Practices • Advertising • Brand • Competition Corruption • Whistleblowing Employment • Children • Compensation • Contractors • Discrimination • Education • Immigration • Labour • General Governance & Risk •Ethics Policies & Procedures • Risk • Strategy • Trust • Projects • Business Continuity Health, Safety & Environment • Environment • OHS • Building & Structural Financial • Accounting • Assurance • Financial Management • Sponsorship • Tax Information Management • Statistics • Privacy • Records International Dealings/ Trade • Procurement Intellectual Property • Copyright
“Culture, process and structures that are directed towards realising potential opportunities whilst managing adverse effects”** AS/NZS 4360: 2004 What is risk management? (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008) “...Co-ordinated activities to direct and control an organisation with regard to risk” – ISO 31000 ISO 31000
Risk defined “The chance of something happening that will have an impact on achieving objectives” -AS/NZS 4360:2004 “Effect of uncertainty on objectives” - ISO 31000 (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008)
Risk management creates value Risk management contributes to the demonstrable achievement of objectives. (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008, p.2)
Risk management should be embedded Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. (Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO, 2009)
Risk frameworks (The risk management) framework is not intended to prescribe a management system, but rather to assist the organisation to integrate risk management into its overall management system. (Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO, 2009)
7 Risk management questions 1. What are we trying to achieve? 2. What events or circumstances could prevent us from achieving our goals? 3. What will be the consequences of such events be? 4. How likely are these events? 5. What will we do to prevent negative outcomes? 6. How can we maximise potential opportunities? 7. Can the organisation recover if an risk eventuates?
Risk management framework Mandated from the top Design of framework Implementing risk management Monitoring and review Continuous improvement Plan Do Check Act
Risk management process establish context identify risks analyse risks evaluate risks treat risks CommunicateandConsult MonitorandReview Assess Risk
Risk rating scales: likelihood L I K E L I H O O D Score Detailed description 5 Frequent The event is very likely to occur within 3 months 4 Likely The event will probably occur within 1 year 3 Occasionally The event could occur between 1-3 years 2 Unlikely The event could occur between 3-10 years 1 Rare The event may possibly occur, but unlikely at a frequency less than 10 yearly
Risk rating scales: consequence Score Description The categories below are possible categories only Financial Service Delivery Reputation People & Knowledge Health and Safety Legal and Regulatory 5 Catastrophic / Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
CONSEQUENCE LIKELIHOOD Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 Almost Certain 5 5 10 15 20 25 Likely 4 4 8 12 16 20 Possible 3 3 6 9 12 15 Unlikely 2 2 4 6 8 10 Rare 1 1 2 3 4 5 Risk matrix
Risk appetite and risk rating Large Appetite for Risk Standard Plan for All Extreme Risks Risk Averse Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  IncreasingImpactIncreasingImpact Board CEO Manager Staff IncreasingImpactIncreasingImpact
Risk Type of Action Risk/ Audit Committee oversight Extreme Immediate action required Direct High Senior management attention needed Monitors Moderate Management responsibility must be specified Ensures sign offs and is advised of changes up or down Low Manage by routine procedures Ensures sign offs CEO/ BOARD GMs Risk response and escalation
Control effectiveness scales 1 Effective Indicates minimal uncontrolled risk, due to excellent risk management/controls in place, tested and monitored 2 Good Indicates good risk management and control system, but an opportunity for refinement exists to reduce risk further. 3 Fair/ Partially Effective Indicates a need for improvement in controls, increased adherence to controls or that controls are being developed, but are not fully in place and tested. 4 Poor Indicates effective risk controls have not yet been developed and a significant lack of risk control exists – additional risk management or treatment is a matter of priority
Compliance risk assessment Identify Compliance Risks Analyse Compliance Risks Evaluate Compliance Risks
Establish the context •Risk management objectives • Key stakeholders • Risk categories • Roles & Responsibilities • Risk rating criteria (scales) – Likelihood – Consequence – Control effectiveness establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult
 what can happen?  how can it happen?  what is the source/cause? Identify risks establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult Eg: Failure of major piece of plant equipment leading to death or serious injury of employees.
Analyse and evaluate risks Taking into account current controls and their effectiveness Risk = C x L establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult RISK C L CONTROL EFFECTIVENESS A 5 5 Partially Effective B 3 5 Effective C 3 4 Ineffective D 2 2 Not assessed RISK SCORE (L*C) 25 15 12 4
Risk treatment options establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult Accept Reduce Avoid Transfer risk not acceptable with current controls – additional controls to reduce either L or C or both risk acceptable with current controls (or cannot be reduced further and accepting risk) with current controls – cannot be reduced do not want to accept risk options include insurance contract outsource *never really transfer all risk!
Monitor & Review BOARD Quarterly (Legislation requires at least an annual review) • Report format and frequency reflect Board preferences • Heat maps/ matrices – visuals and graphs popular • Summary of critical and strategic risks • Risk per risk category • Trend reports COMMITTEES Committee to advise • Report type reflects committee responsibilities: • Finance: Detailed financial risks prior to budgeting/ planning • OH&S: OH&S and infrastructure risks EXCECUTIVE Monthly – Quarterly • As per Board • May require monthly risk summary MANAGEMENT Monthly - Quarterly • Summary of all risks allocated to specific risk owner/s • Include control and treatment information, due dates for action, treatment status STAFF Ad hoc • Informal feedback from supervisors • Communicate successes of risk initiatives EXTERNAL As required by stakeholders • Statement in annual report • Ad hoc communications to business partners, press, public • Mandated risk reporting to minister/s, departments etc.
Communicate and consult • Inform and seek feedback from stakeholders • Reports • Statements in annual report • Information available on website • Internal communications (newsletters) • Meetings (agenda items) • Training and induction programs • Policies and procedures
Case study 2 Scenario 2: Financial Management Act 1994 (Vic)
Case Study Scenario 3: Information Privacy Act 2000 (Vic)
Bringing all together • Compliance is the minimum legal standard • Need good risk management – think beyond compliance obligations • Governance, risk and compliance – they are interconnected – must have all three

Recomendados

Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 
Accident reporting and investigation
Accident reporting and investigationAccident reporting and investigation
Accident reporting and investigation
Hien Dinh
 
Introduction to oil & gas health safety environment
Introduction to oil & gas health safety environmentIntroduction to oil & gas health safety environment
Introduction to oil & gas health safety environment
Ir. Puput Risanto, IPM, PMP, PMI-RMP, ASEAN Eng
 
Health, Safety and Environmental Management Plan
Health, Safety and Environmental Management PlanHealth, Safety and Environmental Management Plan
Health, Safety and Environmental Management Plan
Flevy.com Best Practices
 
Emergency response planning and implementation
Emergency response planning and implementationEmergency response planning and implementation
Emergency response planning and implementation
Nik Ronaidi
 
PSM-1.pdf
PSM-1.pdfPSM-1.pdf
PSM-1.pdf
Krishna Yadav
 
Safety Audit: An Overview
Safety Audit: An OverviewSafety Audit: An Overview
Safety Audit: An Overview
Verde Ventures Pvt. Ltd.
 
Fundamentals of Environmental Health and Safety
Fundamentals of Environmental Health and SafetyFundamentals of Environmental Health and Safety
Fundamentals of Environmental Health and Safety
GAURAV. H .TANDON
 

Recomendados

Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 
Accident reporting and investigation
Accident reporting and investigationAccident reporting and investigation
Accident reporting and investigation
Hien Dinh
 
Introduction to oil & gas health safety environment
Introduction to oil & gas health safety environmentIntroduction to oil & gas health safety environment
Introduction to oil & gas health safety environment
Ir. Puput Risanto, IPM, PMP, PMI-RMP, ASEAN Eng
 
Health, Safety and Environmental Management Plan
Health, Safety and Environmental Management PlanHealth, Safety and Environmental Management Plan
Health, Safety and Environmental Management Plan
Flevy.com Best Practices
 
Emergency response planning and implementation
Emergency response planning and implementationEmergency response planning and implementation
Emergency response planning and implementation
Nik Ronaidi
 
PSM-1.pdf
PSM-1.pdfPSM-1.pdf
PSM-1.pdf
Krishna Yadav
 
Safety Audit: An Overview
Safety Audit: An OverviewSafety Audit: An Overview
Safety Audit: An Overview
Verde Ventures Pvt. Ltd.
 
Fundamentals of Environmental Health and Safety
Fundamentals of Environmental Health and SafetyFundamentals of Environmental Health and Safety
Fundamentals of Environmental Health and Safety
GAURAV. H .TANDON
 
OCCUPATIONAL SAFETY AND HEALTH
OCCUPATIONAL SAFETY AND HEALTHOCCUPATIONAL SAFETY AND HEALTH
OCCUPATIONAL SAFETY AND HEALTH
Lakshminarayanan K
 
Health safety induction_overview
Health safety induction_overviewHealth safety induction_overview
Health safety induction_overview
zz_bedee
 
General HSE Training (Level 1 & 2)
General HSE Training (Level 1 & 2)General HSE Training (Level 1 & 2)
General HSE Training (Level 1 & 2)
Obalim Esedebe - PMP, MSC
 
Industry risk assessment and risk managemnt
Industry risk assessment and risk managemntIndustry risk assessment and risk managemnt
Industry risk assessment and risk managemnt
Md Niamul Islam
 
risk assessment
risk assessment risk assessment
risk assessment
Said Al Jaafari
 
Process Safety Awareness | PSM | Gaurav Singh Rajput
Process Safety Awareness | PSM | Gaurav Singh RajputProcess Safety Awareness | PSM | Gaurav Singh Rajput
Process Safety Awareness | PSM | Gaurav Singh Rajput
Gaurav Singh Rajput
 
risk assessment
risk assessmentrisk assessment
risk assessment
Ahmed871002
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
Wessam Galey
 
Health, Safety & Environmental Presentation
Health, Safety & Environmental PresentationHealth, Safety & Environmental Presentation
Health, Safety & Environmental Presentation
Abdul Qudoos healthyfoodmanagement.com
 
Safety management
Safety managementSafety management
Safety management
Srini Vasan
 
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
Gaurav Singh Rajput
 
HIRA
HIRAHIRA
HIRA
Giridhar Gopu
 
Safety at Construction SIte
Safety at Construction SIteSafety at Construction SIte
Safety at Construction SIte
Avi Gandhi
 
EHS Presentation
EHS PresentationEHS Presentation
EHS Presentation
Nagangouda patil
 
Occupational Health & Safety Presentation
Occupational Health & Safety PresentationOccupational Health & Safety Presentation
Occupational Health & Safety Presentation
Mark Zeeman
 
Emergency Preparedness and Response Training by BCMSA
Emergency Preparedness and Response Training by BCMSAEmergency Preparedness and Response Training by BCMSA
Emergency Preparedness and Response Training by BCMSA
Atlantic Training, LLC.
 
Work permit system
Work permit systemWork permit system
Work permit system
Bimal Chandra Das
 
HSE Management System
HSE Management SystemHSE Management System
HSE Management System
Akachidike (AkaChi) Kanu
 
Emergency Preparedness and Workplace Safety
Emergency Preparedness and Workplace SafetyEmergency Preparedness and Workplace Safety
Emergency Preparedness and Workplace Safety
GAURAV. H .TANDON
 
Importance of industrial safety
Importance of industrial safetyImportance of industrial safety
Importance of industrial safety
Sure Safety (I) Pvt Ltd
 
Presentation 17
Presentation 17Presentation 17
Presentation 17
Jacob CHILDERS
 
Management system of health and safety.
Management system of health and safety.Management system of health and safety.
Management system of health and safety.
Prince Mello
 

Mais conteúdo relacionado

Mais procurados

Safety management
Safety managementSafety management
Safety management
Srini Vasan
 

Mais procurados (20)

OCCUPATIONAL SAFETY AND HEALTH
OCCUPATIONAL SAFETY AND HEALTHOCCUPATIONAL SAFETY AND HEALTH
OCCUPATIONAL SAFETY AND HEALTH
 
Health safety induction_overview
Health safety induction_overviewHealth safety induction_overview
Health safety induction_overview
 
General HSE Training (Level 1 & 2)
General HSE Training (Level 1 & 2)General HSE Training (Level 1 & 2)
General HSE Training (Level 1 & 2)
 
Industry risk assessment and risk managemnt
Industry risk assessment and risk managemntIndustry risk assessment and risk managemnt
Industry risk assessment and risk managemnt
 
risk assessment
risk assessment risk assessment
risk assessment
 
Process Safety Awareness | PSM | Gaurav Singh Rajput
Process Safety Awareness | PSM | Gaurav Singh RajputProcess Safety Awareness | PSM | Gaurav Singh Rajput
Process Safety Awareness | PSM | Gaurav Singh Rajput
 
risk assessment
risk assessmentrisk assessment
risk assessment
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Health, Safety & Environmental Presentation
Health, Safety & Environmental PresentationHealth, Safety & Environmental Presentation
Health, Safety & Environmental Presentation
 
Safety management
Safety managementSafety management
Safety management
 
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
Risk Assessment At Tank- Truck Unloading Section Of LPG Bottling Plant I Gaur...
 
HIRA
HIRAHIRA
HIRA
 
Safety at Construction SIte
Safety at Construction SIteSafety at Construction SIte
Safety at Construction SIte
 
EHS Presentation
EHS PresentationEHS Presentation
EHS Presentation
 
Occupational Health & Safety Presentation
Occupational Health & Safety PresentationOccupational Health & Safety Presentation
Occupational Health & Safety Presentation
 
Emergency Preparedness and Response Training by BCMSA
Emergency Preparedness and Response Training by BCMSAEmergency Preparedness and Response Training by BCMSA
Emergency Preparedness and Response Training by BCMSA
 
Work permit system
Work permit systemWork permit system
Work permit system
 
HSE Management System
HSE Management SystemHSE Management System
HSE Management System
 
Emergency Preparedness and Workplace Safety
Emergency Preparedness and Workplace SafetyEmergency Preparedness and Workplace Safety
Emergency Preparedness and Workplace Safety
 
Importance of industrial safety
Importance of industrial safetyImportance of industrial safety
Importance of industrial safety
 

Destaque

Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
mikaelastafrace
 
Strategic Planning For Compliance
Strategic Planning For ComplianceStrategic Planning For Compliance
Strategic Planning For Compliance
Ann Oglanian
 

Destaque (6)

Presentation 17
Presentation 17Presentation 17
Presentation 17
 
Management system of health and safety.
Management system of health and safety.Management system of health and safety.
Management system of health and safety.
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Strategic Planning For Compliance
Strategic Planning For ComplianceStrategic Planning For Compliance
Strategic Planning For Compliance
 
Compliance Risk Assessment
Compliance Risk AssessmentCompliance Risk Assessment
Compliance Risk Assessment
 

Semelhante a Beyond Compliance

2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
Dr Darren O'Connell AGIA
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
Debashis Gupta
 
ppt erm.pdf
ppt erm.pdfppt erm.pdf
ppt erm.pdf
RJ231
 
Strategically managing your insurance program
Strategically managing your insurance programStrategically managing your insurance program
Strategically managing your insurance program
mikaelastafrace
 
Iaccm Risk Slides
Iaccm Risk SlidesIaccm Risk Slides
Iaccm Risk Slides
guest49199
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Ramaica Ona
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 

Semelhante a Beyond Compliance (20)

Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
Getting the risk basics right, 30th November 2016
Getting the risk basics right, 30th November 2016Getting the risk basics right, 30th November 2016
Getting the risk basics right, 30th November 2016
 
world_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptxworld_vision-cva_-_risk_presentation.pptx
world_vision-cva_-_risk_presentation.pptx
 
Governance, Risk Management, and Internal Control in the Public Sector
Governance, Risk Management, and Internal Control in the Public SectorGovernance, Risk Management, and Internal Control in the Public Sector
Governance, Risk Management, and Internal Control in the Public Sector
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk assessment and compliance 151119
Risk assessment and compliance 151119Risk assessment and compliance 151119
Risk assessment and compliance 151119
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
 
Trustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
 
ppt erm.pdf
ppt erm.pdfppt erm.pdf
ppt erm.pdf
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Strategically managing your insurance program
Strategically managing your insurance programStrategically managing your insurance program
Strategically managing your insurance program
 
Iaccm Risk Slides
Iaccm Risk SlidesIaccm Risk Slides
Iaccm Risk Slides
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
FERMA presentation at Athens conference
FERMA presentation at Athens conferenceFERMA presentation at Athens conference
FERMA presentation at Athens conference
 

Mais de mikaelastafrace

Regulatory reform in the australian general insurance market
Regulatory reform in the australian general insurance marketRegulatory reform in the australian general insurance market
Regulatory reform in the australian general insurance market
mikaelastafrace
 
Legal implications for authorised representatives
Legal implications for authorised representativesLegal implications for authorised representatives
Legal implications for authorised representatives
mikaelastafrace
 
Regulatory compliance update
Regulatory compliance updateRegulatory compliance update
Regulatory compliance update
mikaelastafrace
 
Liability of insurance agents to their clients
Liability of insurance agents to their clientsLiability of insurance agents to their clients
Liability of insurance agents to their clients
mikaelastafrace
 
The intersection between corporate and clinical governance - implications for...
The intersection between corporate and clinical governance - implications for...The intersection between corporate and clinical governance - implications for...
The intersection between corporate and clinical governance - implications for...
mikaelastafrace
 
Indemnity clauses - what they are, how they work and how to make them for you
Indemnity clauses - what they are, how they work and how to make them for youIndemnity clauses - what they are, how they work and how to make them for you
Indemnity clauses - what they are, how they work and how to make them for you
mikaelastafrace
 

Mais de mikaelastafrace (6)

Regulatory reform in the australian general insurance market
Regulatory reform in the australian general insurance marketRegulatory reform in the australian general insurance market
Regulatory reform in the australian general insurance market
 
Legal implications for authorised representatives
Legal implications for authorised representativesLegal implications for authorised representatives
Legal implications for authorised representatives
 
Regulatory compliance update
Regulatory compliance updateRegulatory compliance update
Regulatory compliance update
 
Liability of insurance agents to their clients
Liability of insurance agents to their clientsLiability of insurance agents to their clients
Liability of insurance agents to their clients
 
The intersection between corporate and clinical governance - implications for...
The intersection between corporate and clinical governance - implications for...The intersection between corporate and clinical governance - implications for...
The intersection between corporate and clinical governance - implications for...
 
Indemnity clauses - what they are, how they work and how to make them for you
Indemnity clauses - what they are, how they work and how to make them for youIndemnity clauses - what they are, how they work and how to make them for you
Indemnity clauses - what they are, how they work and how to make them for you
 

Beyond Compliance

  • 2. Today’s session • Group introductions • Introduction to Compliance • Introduction to Risk Management Case Study • Conclusion TREATMENT & CONTROLS ANALYSE & EVALUATE IDENTIFY RISKS CONTEXT SETTING CASESTUDY
  • 3. Presenter Mikaela Reynoldson – Partner, Moray & Agnew
  • 6. Commonwealth Bank of Australia pays $100,000 fine for breach of continuous disclosure law • On 16 December 2008 as the Commonwealth Bank of Australia (CBA) was attempting to close a AU$2 billion capital raising it received updated information about its impairment expenses. The issue was abandoned and CBA blamed its adviser for telling potential investors of the impairment expense before the rest of the market. • The Australian Securities and Investments Commission (ASIC) issued an infringement notice to CBA alleging it had failed to notify the Australian Securities Exchange (ASX) after becoming aware of information about its expected loan impairment expense (LIE) to gross loans and acceptances ratio for the financial year ending 30 June 2009. Source: Australian Regulatory Compliance Review, Nov 09 (article first reported on Complinet)
  • 7. Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Reporting Com m unication Assurance Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Forms and Templates Systems Criteria and Process Flows Requirements and Obligations Registers Operating Procedures Policy Reporting Com m unication Assurance Compliance Management Operating Procedure Compliance Management Operating Procedure Compliance Software Compliance Management Policy Compliance Management Operating Procedure Requirements Register Obligations Register Entity Component: Compliance structure
  • 8. 1. Understand the Legal and Regulatory Environment • Understand the business environment • Understand and manage relationships with legislators, regulators and government • Determine categories of compliance and maintain the compliance risk universe 2. Create and Maintain the Obligations Register • Identify compliance requirements/obligations • Prioritise requirements • Identify and manage changes to requirements and obligations Analyse Compliance Risks • Likelihood, consequence and controls Evaluate Compliance Risks • Determine treatment based on analysis 5.MonitorandEvaluation •Performancemeasuresandmetrics •AssuranceActivities •ComplaintsHandling •ContinuousImprovement 6.Communications&Reporting •Communication •Training&Education •InternalandExternalReporting 4. Manage Obligations • Annual compliance plans • Breach reporting and management • Records management • Project management • Third parties 3. Compliance Risk Assessment Identify Compliance Risks Six main phases of the compliance process
  • 9. Compliance risk universe Compliance Risk Universe Competitive Practices • Advertising • Brand • Competition Corruption • Whistleblowing Employment • Children • Compensation • Contractors • Discrimination • Education • Immigration • Labour • General Governance & Risk •Ethics Policies & Procedures • Risk • Strategy • Trust • Projects • Business Continuity Health, Safety & Environment • Environment • OHS • Building & Structural Financial • Accounting • Assurance • Financial Management • Sponsorship • Tax Information Management • Statistics • Privacy • Records International Dealings/ Trade • Procurement Intellectual Property • Copyright
  • 10. “Culture, process and structures that are directed towards realising potential opportunities whilst managing adverse effects”** AS/NZS 4360: 2004 What is risk management? (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008) “...Co-ordinated activities to direct and control an organisation with regard to risk” – ISO 31000 ISO 31000
  • 11. Risk defined “The chance of something happening that will have an impact on achieving objectives” -AS/NZS 4360:2004 “Effect of uncertainty on objectives” - ISO 31000 (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008)
  • 12. Risk management creates value Risk management contributes to the demonstrable achievement of objectives. (Source: Draft ISO31000 Risk Management – Principles and Guidelines on Implementation, 2008, p.2)
  • 13. Risk management should be embedded Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. (Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO, 2009)
  • 14. Risk frameworks (The risk management) framework is not intended to prescribe a management system, but rather to assist the organisation to integrate risk management into its overall management system. (Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO, 2009)
  • 15. 7 Risk management questions 1. What are we trying to achieve? 2. What events or circumstances could prevent us from achieving our goals? 3. What will be the consequences of such events be? 4. How likely are these events? 5. What will we do to prevent negative outcomes? 6. How can we maximise potential opportunities? 7. Can the organisation recover if an risk eventuates?
  • 16. Risk management framework Mandated from the top Design of framework Implementing risk management Monitoring and review Continuous improvement Plan Do Check Act
  • 17. Risk management process establish context identify risks analyse risks evaluate risks treat risks CommunicateandConsult MonitorandReview Assess Risk
  • 18. Risk rating scales: likelihood L I K E L I H O O D Score Detailed description 5 Frequent The event is very likely to occur within 3 months 4 Likely The event will probably occur within 1 year 3 Occasionally The event could occur between 1-3 years 2 Unlikely The event could occur between 3-10 years 1 Rare The event may possibly occur, but unlikely at a frequency less than 10 yearly
  • 19. Risk rating scales: consequence Score Description The categories below are possible categories only Financial Service Delivery Reputation People & Knowledge Health and Safety Legal and Regulatory 5 Catastrophic / Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
  • 20. CONSEQUENCE LIKELIHOOD Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 Almost Certain 5 5 10 15 20 25 Likely 4 4 8 12 16 20 Possible 3 3 6 9 12 15 Unlikely 2 2 4 6 8 10 Rare 1 1 2 3 4 5 Risk matrix
  • 21. Risk appetite and risk rating Large Appetite for Risk Standard Plan for All Extreme Risks Risk Averse Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  IncreasingImpactIncreasingImpact Board CEO Manager Staff IncreasingImpactIncreasingImpact
  • 22. Risk Type of Action Risk/ Audit Committee oversight Extreme Immediate action required Direct High Senior management attention needed Monitors Moderate Management responsibility must be specified Ensures sign offs and is advised of changes up or down Low Manage by routine procedures Ensures sign offs CEO/ BOARD GMs Risk response and escalation
  • 23. Control effectiveness scales 1 Effective Indicates minimal uncontrolled risk, due to excellent risk management/controls in place, tested and monitored 2 Good Indicates good risk management and control system, but an opportunity for refinement exists to reduce risk further. 3 Fair/ Partially Effective Indicates a need for improvement in controls, increased adherence to controls or that controls are being developed, but are not fully in place and tested. 4 Poor Indicates effective risk controls have not yet been developed and a significant lack of risk control exists – additional risk management or treatment is a matter of priority
  • 24. Compliance risk assessment Identify Compliance Risks Analyse Compliance Risks Evaluate Compliance Risks
  • 25. Establish the context •Risk management objectives • Key stakeholders • Risk categories • Roles & Responsibilities • Risk rating criteria (scales) – Likelihood – Consequence – Control effectiveness establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult
  • 26.  what can happen?  how can it happen?  what is the source/cause? Identify risks establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult Eg: Failure of major piece of plant equipment leading to death or serious injury of employees.
  • 27. Analyse and evaluate risks Taking into account current controls and their effectiveness Risk = C x L establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult RISK C L CONTROL EFFECTIVENESS A 5 5 Partially Effective B 3 5 Effective C 3 4 Ineffective D 2 2 Not assessed RISK SCORE (L*C) 25 15 12 4
  • 28. Risk treatment options establish context identify risks analyse risks evaluate risk treat risks monitorandreview Communicateand consult Accept Reduce Avoid Transfer risk not acceptable with current controls – additional controls to reduce either L or C or both risk acceptable with current controls (or cannot be reduced further and accepting risk) with current controls – cannot be reduced do not want to accept risk options include insurance contract outsource *never really transfer all risk!
  • 29. Monitor & Review BOARD Quarterly (Legislation requires at least an annual review) • Report format and frequency reflect Board preferences • Heat maps/ matrices – visuals and graphs popular • Summary of critical and strategic risks • Risk per risk category • Trend reports COMMITTEES Committee to advise • Report type reflects committee responsibilities: • Finance: Detailed financial risks prior to budgeting/ planning • OH&S: OH&S and infrastructure risks EXCECUTIVE Monthly – Quarterly • As per Board • May require monthly risk summary MANAGEMENT Monthly - Quarterly • Summary of all risks allocated to specific risk owner/s • Include control and treatment information, due dates for action, treatment status STAFF Ad hoc • Informal feedback from supervisors • Communicate successes of risk initiatives EXTERNAL As required by stakeholders • Statement in annual report • Ad hoc communications to business partners, press, public • Mandated risk reporting to minister/s, departments etc.
  • 30. Communicate and consult • Inform and seek feedback from stakeholders • Reports • Statements in annual report • Information available on website • Internal communications (newsletters) • Meetings (agenda items) • Training and induction programs • Policies and procedures
  • 31. Case study 2 Scenario 2: Financial Management Act 1994 (Vic)
  • 32. Case Study Scenario 3: Information Privacy Act 2000 (Vic)
  • 33. Bringing all together • Compliance is the minimum legal standard • Need good risk management – think beyond compliance obligations • Governance, risk and compliance – they are interconnected – must have all three

Notas do Editor

  1. Risk management is HOW a business or Government achieve its objectives. The focus should be on how it will add VALUE to what is being undertaken and how best to achieve that. Too often the focus shifts from what is trying to be achieved and whether there is any value in undertaking the activity to focusing on all the things that could go wrong and finding ways to prevent it. This stifles innovation and creativity.