CHAPTER 2:
GOVERNANCE AND RISK MANAGEMENT
Chapter one observed that corporate governance is overtly concerned with board structure, executive compensation and shareholder reporting, but the underlying assumption is that the board is responsible for managing the business and controlling the risks to its assets and trading future. Governance matters, and not just to the press: 20 out of the 30 largest European asset managers now factor governance into their investment assessments; institutional shareholders (particularly in the US and UK) are increasingly militant, with big pension funds under government pressure to exercise their votes in favour of effective corporate governance; and the regulatory objectives of governments across the OECD are converging – as this chapter will show - around a common understanding of corporate governance.
There are still substantial practical differences between corporate governance frameworks in different jurisdictions: separation of the roles of CEO and Chairman is uncommon in the US, as is the right of shareholders to call an EGM, whereas the converse is true in the UK and in UK-related economies. Two tier boards are more likely in continental Europe than in either the UK or the US. The US corporate governance framework has a far higher degree of compulsion about it than does the UK’s ‘comply or explain’ regime; continental European regimes are still in their infancy. This book is not, however, about corporate governance per se. It is about extending best practice in corporate governance to the governance of information and IT in the modern enterprise.
And effective corporate governance is transparent, protects the rights of shareholders, includes both strategic and operational risk management, is as interested in long term earning potential as it is in actual short term earnings, holds directors accountable for their stewardship of the business, and ensures that directors exercise their fiduciary duties responsibly.
Fiduciary duties
Corporate governance could be thought of as the framework within which boards of directors exercise their fiduciary duties to the organizations that appoint them. Most people know what is meant by ‘fiduciary duties’ and the summary here is simply designed to provide the context for the rest of this chapter.
‘Fiduciary duties were first elaborated by common law judges, operating without any guidance from the formal written law. Indeed, the company laws of the United States, and many other common law jurisdictions, contain no statement at all of the core fiduciary duties of care and loyalty. The fiduciary duties of directors are continuing to evolve, again without formal written law. The classic statement…is that directors owe to shareholders, or perhaps to the corporation, two basic fiduciary duties: the duty of loyalty and the duty of care.’31
Professor Black, of the Stanford Law School, says that the duty of loyalty is the most important: directors should act in the interests of their organization, not of themselves. They must avoid conflicts of interest. A standard method of doing this, in possible conflict-of-interest situations, is to seek transaction approval from independent, non-interested directors.
The duty of disclosure expects directors to provide full disclosure to shareholders of all matters that might affect the outcome of a vote on an issue on which shareholders are entitled to vote, and on all conflict-of-interest transactions.
The third duty is the duty of care: the duty to pay attention and to try and make good decisions. The decisions do not actually have to be good ones; the directors are simply required to try and make good decisions. The United States has the ‘business judgement rule’, also
31 Professor Bernard S Black, Stanford Law School, Presentation at Third Asian Roundtable on Corporate Governance, April 2001.
known as the ‘doctrine of non-interference.’ This allows directors to take business risks, even extreme ones, without fear of legal penalty for failure.
However, as was described in the introduction, directors are starting to discover that their personal liabilities in respect of corporate failures may lead to personal financial losses; the duty of care is being re-defined in a number of court cases and, in the current governance climate, it might be expected that a much tougher definition will emerge.
Governance frameworks
The cost of failure is, however, born by shareholders, by employees, suppliers and other stakeholders in the organization. The UK, in the Cadbury, Greenbury and Turnbull Reports of the late 1990s, led the way in defining how the directors’ duty of care – in respect of executive compensation and board management - should be exercised. Progress, particularly in the aftermath of the post-Internet Bubble scandals, has continued. The UK’s revised Combined Code is now explicit in saying that all directors are required to “provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enable risk to be assessed and managed”32. This recognises the need for a risk management framework and leaves rather less room for ‘wild’ risk taking than Professor Black described in 2001. By 2002, the US Sarbanes Oxley Act had mandated the adoption, by US listed companies, of an appropriate system of internal control and, in parallel, had required directors to start monitoring and reporting operational risk.
OECD Principles of Corporate Governance
The OECD Principles of Corporate Governance were originally issued in 1999 and quickly became an international benchmark for corporate governance developments across the world, including into the non-OECD countries. Within the OECD, 30 voluntary codes of
corporate governance have been adopted, mostly since 2002. These include Australia (2003), Austria (2002), Canada (2002), France (2002), Germany (Kodex – 2003), Italy (2002), Japan (2001), Netherlands (Tabaksblatt, 2003), and Switzerland (2002). These codes are all very recent, are all on a ‘comply or explain basis’ and, within a varied legal and cultural climate for compliance, there are widely varying levels of compliance.
The OECD principles were revised, following extensive consultation, and re-issued in April 2004. They identified six key areas in which a corporate governance framework should operate, including the protection of shareholders’ rights, the timely and accurate disclosure of all material matters regarding the corporation, and that the board should be accountable to the company and the shareholders for providing strategic guidance and effective monitoring of management. The board should ‘focus on long-term issues, such as assessing corporate strategy, and activities that might involve a change in the nature and direction of the company’.33
Guideline for Directors: the board cannot meet this obligation without extending its corporate governance responsibilities to explicitly include information and IT.
BIS and Basel 2
Banking failure can be more catastrophic than any other failure. Banking organizations need, for that reason, to go further in risk management terms than other commercial entities. In the banking world, an international accounting and risk management framework, driven by the Bank of International Settlements (BIS) has already emerged. BIS is the central banks’ central bank. It exclusively serves central banks and other international organizations and its declared aim is to ‘foster cooperation among central banks and other agencies in pursuit of monetary and financial stability’. In June 2004, the Bank’s Basel Committee on Banking Supervision published its ‘International Convergence of Capital Measurement and Capital Standards: a Revised Framework’, which has become known as
Basel 2. (Basel 1, the Basel Capital Accord of 1988, set out the first internationally accepted definition of, and measurement for, bank capital. It is thought to have been adopted in more than 100 countries.) The Basel 2 framework detailed ‘more risk-sensitive requirements’ for banking organizations in assessing their capital adequacy, and ‘seeks to strengthen market discipline by enhancing transparency in banks’ financial reporting.’34 While the Chairman of the Basel Committee on Banking Supervision has admitted that ‘implementing the Basel 2 rules governing international banks’ capital will be as difficult and important as drawing up the rules, which took five years’, there can be no doubt about BIS’s determination to complete implementation, the start date for which is 2007. While practical difficulties may lead to a deferral in the actual start date, the implementation of these rules is now inescapable.
Operational risk
Basel 2 seeks to achieve its goal of strengthening the international financial system through three pillars. Pillar 1 aims to align a bank’s minimum capital requirements more closely to its actual risk of economic loss, aiming to establish an explicit capital charge for a ‘bank’s exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events,’35 Those banks whose approaches to measuring, managing and controlling their operational risk exposures are appropriate to the risk area will have lower capital requirements. While Pillar 2 allows for supervisory review of banks’ risk management processes, Pillar 3 explicitly sets out to enhance transparency in banks’ public reporting in order to ‘leverage the ability of market discipline to motivate prudent management’.
These governance frameworks all require the collection and storage of commercially sensitive data in order to satisfy their reporting obligations. These requirements are contained in general legislation
such as the US Sarbanes Oxley Act, the UK Companies (Audit, Investigations and Community Enterprise) Act 2004 as well as in sector specific regulation enforced by bodies such as the Financial Services Authority and the Securities and Exchange Commission.
Guideline for Directors: in order to comply, directors will need to satisfy themselves that their IT system themselves do not pose any operational risks to the company, and that their automated controls are all adequate.
Capital markets and financial reporting convergence
The governance and financial reporting requirements of the UK, US and the rest of the world are converging. This is inevitable, given the sheer size of the western capital markets, and the freedom (and speed) with which financial capital moves around the world: 81 percent of international debt issuance takes place in the EU and US; nearly 90 percent of derivative trading (both OTC and exchange traded) takes place in the EU and US; at the end of 2003, the EU and US represented US$22bn out of the world’s US$31bn in stock market capitalization. The UK represents the lion’s share within the EU.
The simple truth is that any organization wanting to access the world’s largest pool of liquid, available financial capital can only turn to the west. And governance requirements, just like financial reporting requirements, are converging as financial institutions and regulatory bodies drive for increased transparency and ease of comparison across multiple jurisdictions.
Recently, the major accounting standards were US GAAP (Generally Accepted Accounting Practice), used by the US and Canada, UK GAAP, used in the UK in UK related economies, and the IAS (International Accounting Standards) used almost everywhere else; different accounting treatments made it difficult for investors – even where corporations reconciled accounts drawn up in accordance with two (or more) standards - to compare corporate performance both within and across sectors.
The UK’s ICAEW (Institute of Chartered Accountants of England and Wales) said: ‘the globalization of the business world and the attendant structures and regulation which support it, as well as the development of e-commerce have all had a profound effect on business. Deregulation and increased competition are also bringing paradigm changes to the way in which the profession operates.
As markets converge and geographical borders no longer present the same trade barriers increasingly there is a need for globally accepted accounting standards. Business needs them, investors are demanding them and accountants are under an obligation to ensure delivery.’ And that is what is happening.
IAS – renamed IFRS (International Financial Reporting Standards) is being adopted (by EU directive) for all EU listed companies with effect from 2005 and the US FASB (Financial Standards Accounting Board) and the IASB are now working toward convergence of accounting standards. This initiative is expected to finalise a single set of international accounting standards by 2007. The IASB is also working with the Bank of International Settlements (BIS), IOSCO (the International Organization of Securities Commissions) and the Japanese accounting body to drive IFRS into all non-US markets, having already endorsed the use of IFRS (in May 2000) for crossborder reporting.
Converging audit requirements
Inevitably, with one set of accounting standards, applied by companies accessing a single corporate pool of capital, there is also a drive toward a convergence in auditing requirements. While the Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002, named the Sarbanes Oxley Act after its sponsors, was a response to a specific set of post-asset bubble circumstances, it did raise the bar for audit standards world wide, as it mandated board and auditor independence, and required management to report (with an audit opinion) on the quality of its internal control over financial reporting.
UK Companies Act 2004
The UK’s Companies (Audit, Investigations and Community Enterprise) Act of 2004 placed a statutory duty on officers and employees (including ex-employees) to provide auditors with information (other than legally privileged information) and explanations in respect of any issue related to their audit of the company’s accounts. The directors are required to make a statement that they have disclosed (having taken appropriate steps to ascertain it) all relevant information to the auditors and making a false statement will be a criminal offence. The UK’s Financial Reporting Review Panel (the FRRP), which was originally set up in 1990 to look into instances of corporate accounting non-compliance with UK GAAP, gained new powers to require companies, directors and auditors to provide documents, information and explanations if there might be an accounts non-compliance with relevant reporting requirements.
With the exception of small and medium enterprises, UK companies will be required to make detailed disclosure of non-audit services supplied by their auditors.
For financial years beginning 1 April 2005, UK quoted companies (which includes UK registered companies that are officially listed in an EU state, on either the NYSE or Nasdaq, but not on AIM or OFEX) will be required to publish an Operating and Financial Review (OFR). Under the Companies Act 1985 (Operating and Financial Review and Directors’ Report etc) Regulations 2005, companies are required to include a fair review of their business in the directors’ report and publish an auditor’s opinion on the consistency of the OFR and the accounts; a criminal and administrative enforcement regime is also created. Previously a voluntary report, the OFR must reflect the directors’ view of the business, with the objective of assisting investors to assess the strategies adopted and the potential for those strategies to succeed. DTI guidance is that the OFR must ‘include a description of the resources available to the company, [and] of the principal risks and uncertainties facing the company’.36
The FRRP, the FSA (the UK’s Financial Services Authority) and the UK Inland Revenue are also in the process of coordinating their investigative activities so as to comply with standards set by the Committee of European Securities Regulators. The FSA retains the power to decide on corrective or punitive action and it has a range of sanctions available to it.
EU 8th Company Law Directive
Clearly driven as much by SOX as by its own home grown corporate disasters, the EU issued a ‘Directive on Statutory Audit’ in 2004. This directive (sometimes called ‘Europe’s SOX’, or ‘SOX-lite’) will, when it is adopted, replace the existing EU 8th Company Law Directive of 1984. It ‘clarifies the duties of statutory auditors, provides for their independence and ethical standards, introduces a requirement for external quality assurance, and provides for the public oversight of the audit profession and improved cooperation between oversight bodies in the EU.’37 The directive, seen as a ‘minimum harmonisation’ proposal for statutory audits within the EU, also provides a basis for international co-operation between EU regulators and those in third countries. ‘The Commission believes that the [PCAOB (the US Public Corporate Accounting Oversight Board)] is particularly important because of the global nature of modern capital markets.’
Negotiations between the EU, the SEC (the US Securities and Exchange Commission) and the PCAOB have been taking place to try and avoid EU auditors having to register with the PCAOB. In the UK, the FRC (Financial Reporting Council)’s remit was extended to include independent oversight (through its newly set up Professional Oversight Board for Accountancy (POBA)) of the
36 ‘Guidance on the OFR and changes to the directors’ report’, January 2005 by the UK’s DTI.
37 ‘Proposal by the European Commission for a Directive on Statutory Audit of Annual and Consolidated Accounts’, September 2004 by the UK’s DTI.
accounting profession. EU and US audit rules are now ‘quite convergent’, following the principles of independent public oversight, audit quality assurance, more frequent auditor rotation and avoiding conflicts of interest.
The adoption of IFRS and the regulatory convergence opens up the opportunity for the widespread formal adoption of the International Standards on Auditing (ISA). ISAs are published by the IAASB (the International Auditing and Assurance Standards Board) and are already incorporated into the national auditing standards in a number of countries.
Corporate Governance in Europe
There are two main corporate governance models in the EU. The first is the traditional, continental European model, in which companies are largely controlled by ‘block holders’, an individual, group of individuals or an organization that controls most of the votes at the company’s annual general meetings. The second is the UK (or ‘Anglo-Saxon’) model, in which shares in a company are widely owned and there is a broad equity base. While there has been some convergence toward the UK model in respect of protection of minority shareholders and the regulation of takeover bids, there is still considerable difference across Europe in the legal substance of national corporate governance frameworks.
The European Corporate Governance Forum was set up, in early 2005, by the European Commission, to pursue the objective of EU-wide coordination of corporate governance developments across the EU as a whole. ‘The Commission does not want to enact a European Code of Corporate Governance,’ said European Commissioner Charlie McCreevy, ‘we see no need for this at present and the adoption of such a code, if it were even possible, would be an inevitable and possibly messy political compromise, which would be unlikely to achieve full information for investors about the key corporate governance rules.’38 McCreevy described the Forum’s
priorities: ‘a first area of work is to examine the existing national codes of corporate governance in order to determine whether there is convergence - if yes to which extent and if not, to determine whether, and, if so, how convergence could be reached.’
A conclusion of the EU’s Barcelona summit in 2002 was that economic efficiency has its basis in solid corporate governance. The drive to achieve it will not abate in the foreseeable future. The Anglo-Saxon model is already well advanced.
Combined Code and the Turnbull Guidance
The first version of the UK’s Combined Code, issued in 1998, replaced, combined and refined the earlier requirements of the Cadbury and Greenbury reports on corporate governance and directors’ remuneration. It came into force for all listed companies for year-ends after December 1998. In the UK, corporate governance is on a ‘compy or explain’ basis; in other words, listed companies are expected to comply but are not statutorily required to do so. They can, if they have good reason, choose not to comply with a particular clause of the Combined Code as long as they explain, in their annual report, why that decision was taken. The market will tend to punish companies that choose not to comply, unless the given reasons are cogent.
The Combined Code requirements were broadly similar to those of the earlier reports, but in one important respect – reporting on controls – there was a major and significant development in 1999, prior to the most recent (2003) revision of the code. Whilst the Cadbury report had envisaged companies reporting on controls generally, the guidance which was issued at that time to clarify those requirements permitted, and indeed encouraged, companies to restrict their review of controls, and the disclosures relating to that review, to financial controls. This meant that potentially more important issues relating to operational control were left outside the reporting framework.
The Turnbull Report
The Turnbull Report – Internal Control: Guidance for Directors on the Combined Code, published by the Internal Control Working Party of the Institute of Chartered Accountants in England and Wales – provided further guidance in 1999 as to how directors of listed companies should tackle this issue.
Paragraph 20 of the Turnbull Report stated that a company’s ‘internal control system encompasses the policies, processes, tasks, behaviors and other aspects of a company that, taken together:
• Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives. This includes the safeguarding of assets from inappropriate use and from loss or fraud, and ensuring that liabilities are identified and managed.
• Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization.
• Help ensure compliance with applicable laws and regulations.’
Paragraph 21 recognized that ‘a company’s system of internal control… will include… information and communications processes’. Paragraph 28 was clear that ‘internal controls… should include all types of controls including those of an operational and compliance nature, as well as internal financial controls’.
Guideline for Directors: the Turnbull Report for the first time made it clear to the directors of UK public companies that their internal control systems had to address all forms of information as well as the systems on which it resided.
Revised Combined Code
Following the work of the Smith and Higgs committees, the Combined Code was revised and re-issued in July 2003. The Turnbull Report was renamed the Turnbull Guidance and included into the revised Combined Code.
In Section 1, the revised Combined Code states that the ‘board’s role is to provide entrepeneurial leadership of the company within a framework of prudent and effective controls which enables risk to be assessed and managed.’ Risk management, in other words, is a key responsibility of the board. The non-executive directors are required to ‘satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible.’
Principle C.2 of the revised Combined Code deals with Internal Control. The Board is required to maintain a sound system of internal control to safeguard shareholders’ investments and the assets of the company. In practice, directors are required ‘at least annually, to conduct a review of the the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls and risk management systems.’ The Code then refers the reader to the Turnbull Guidance for details on how to apply this provision.
Paragraphs 17, 18 and 19 of the Turnbull Guidance provide an admirably brief and clear description of the principles of a risk treatment plan, of the board’s repsonsibility to set the policy around risk treatment, the executive’s to implement it, and that of all staff to comply with the system of internal control.
While listed companies are not legally required to comply with the provisions of the revised Combined Code, the Financial Services Authority’s Listing Rules (paragraph 12.43A) require any UK listed company to include the following items in its annual report and accounts:
a) a narrative statement of how it has applied the principles set out in Section 1 of the Combined Code, providing explanation which enables its shareholders to evaluate how the principles have been applied;
b) a statement as to whether or not it has complied throughout the accounting period with the Code provisions set out in Section 1 of the Combined Code. A company that has not complied with the Code provisions, or complied with only some of the Code provisions or (in the case of provisions whose requirements are of a continuing nature) complied for only part of an accounting period, must specify the Code provisions with which it has not complied and (where relevant) for what part of the period such non-compliance continued, and give reasons for any noncompliance.
The company’s auditors must verify the statement made by the directors in respect of the board’s compliance with the Code provisions. This is a clear example of how corporate governance regimes provide a framework within which directors are forced to appropriately exercise their fiduciary duty.
The UK government has adopted the principles of internal control set out by Turnbull and published its own ‘Orange Book’, in which it adapts Turnbull’s recommendations to the public sector. All non-governmental organizations (NGOs) and non-departmental public bodies (NDPBs) are expected to conform to these requirements and all UK government and government-controlled bodies were expected to ensure implementation and integration of the processes by the end of 2003.
The key questions that directors of listed companies and ‘Orange Book’ public sector organizations seek to answer (and which are not meant to be exhaustive) are set out in Appendix 1 to the Turnbull Guidance and are quoted below. Key questions include:
• Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? (Significant risks may, for example, include those related to market, credit, liquidity, technological, legal, health, safety and environmental, reputation, and business probity issues.)
• Does the board have clear strategies for dealing with the significant risks that have been identified? Is there a policy on how to manage these risks?
• Are information needs and related information systems reassessed as objectives and related risks change or as reporting deficiencies are identified?
• Are there specific arrangements for management monitoring and reporting to the board on risk and control matters of particular importance? These could include actual or suspected fraud and other illegal or irregular acts, or matters that could adversely affect the company’s reputation or financial position.
The Turnbull Guidance does not specify which risks should be included in the scope of the report and what can be left out. The report simply says, in paragraph 16, that ‘the board of directors is responsible for the company’s system of internal control. It should set appropriate policies on internal control and seek regular assurance that will enable it to satisfy itself that the system is functioning effectively’. In paragraph 17, it goes on to say that, in determining its policies, the board should consider ‘the extent and categories of risk which it regards as acceptable for the company to bear, [and] the likelihood of the risks concerned materialising’.
Given the absence of definitive guidance on what risks to include or exclude, and the evident information and IT-related risks faced by every organization, IT governance is fundamental component of effective risk management.
It is clear that systems designed to meet the requirements of Turnbull should be integrated into the organization. This means that the necessary internal control systems should form part of the organizational culture and be part of the day-to-day management of the organization. They certainly should not be a separate structure designed solely for the purpose of complying with the code, nor should they be introduced from outside the organization without there being real ownership within – and from the top of - the organization. Implementation does require the entire organization to embrace the principles of the Code; this can only happen if the process is taken sufficiently seriously for it to be embraced at board level and to be owned by the chairman, chief executive and the whole board.
Sarbanes Oxley
The Sarbanes-Oxley Act of 2002 (SOX), introduced in the United States of America in the aftermath of Enron, has important IT governance implications for listed American companies, their foreign subsidiaries and foreign companies that have US listings. It applies to all Securities and Exchange Commission (SEC) registered organizations, irrespective of where their trading activities are geographically based. SOX is fundamentally different from the Combined Code, and from codes of corporate governance adopted elsewhere in the OECD, in that compliance is mandatory, rather than ‘comply or explain’. This aspect, combined with significant potential sanctions for individual directors, is driving SOX compliance requirements through the supply chain.
While the Act lays down detailed requirements for the governance of organizations, the three highest profile and most critical sections – which were implemented in phases - are 302, 404 and 409.
Key sections of Sarbanes Oxley Act
The SEC, which is responsible for implementation of SOX, has relevant information available at www.sec.gov/spotlight/sarbanesoxley.htm , and the Sarbanes-Oxley web site itself is at www.sarbanes-oxley.com .
Internal controls and audit
Under SOX, management is required to certify the company’s financial reports and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether it is for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system. Unless appropriate internal controls are built into this infrastructure, management will not be able to make the required certification.
The SEC has mandated US companies to use a recognized internal control framework that has been established by an organization that developed the framework through a due process, including inviting public comment. One widely used framework is known as the COSO framework or, to give it its own title, the ‘Internal Control – Integrated Framework’, which contains the recommendations of the Committee of Sponsoring Organizations of Treadway Commission (www.coso.org). The sponsoring organizations included the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants and the American Accounting Association. The PCAOB (Public Company Accounting Oversight Board, at www.pcaobus.org, created under SOX to oversee the activity of the auditors of public companies in the United States) expects the majority of public companies to adopt the COSO framework and its Auditing Standard No 2, dealing with audit of internal control over financial reporting, assumes that the COSO framework (or one substantially like it) will have been adopted..
Auditing Standard No 2 contains, at paragraph 15, a statement that demonstrates close alignment with the Turnbull guidance in the UK: ‘Not all controls relevant to financial reporting are accounting controls. Accordingly, all controls that could materially affect financial reporting, including controls that focus primarily on the effectiveness and efficiency of operations or compliance with laws and regulations and also have a material effect on the reliability of financial reporting, are a part of internal control over financial reporting.’
COSO identifies two broad groups of IT systems control activities: general controls and application controls. General controls are those controls which ensure that the financial information from a company’s application systems can be relied upon. General controls exist most commonly as part of an Information Security Management System (such as that identified in BS7799/ISO17799). Application controls are embedded in the software to detect of prevent unauthorized transactions. Such controls can be used to ensure the completeness, accuracy, validity and authorization of transactions.
Paragraph 50 of Auditing Standard No 2 identifies the need for what we call an IT governance framework in maintaining the internal control environment: ‘information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively.’
Auditing Standard No 2 goes on, at paragraph 52, to evaluate the effectiveness of company-level controls at the outset of the audit engagement, on the basis that it is the company-level controls that have such a ‘pervasive impact on controls at the process, transaction or application level.’ These company level controls include consistent policies and procedure and codes of conduct – all of which are at the heart of ISO17799. The auditing standard specifically cross-references the existing Consideration of Internal Control in a Financial Statement Audit, issued by the AICPA in 1990, because it sets out clearly the effect of information technology on internal control over financial reporting.
Risk management framework
All organizations face risks of one sort or another on a daily basis. Risk management is a discipline for dealing with non-speculative risks, those risks from which only a loss can occur. Speculative risks, those from which either a profit or a loss can occur, are the subject of the organization’s business strategy whereas non-speculative risks, which can reduce the value of the assets with which the organization undertakes its speculative activity, are (usually) the subject of a risk management plan. These are sometimes called permanent and ‘pure’ risks, in order to differentiate them from the crisis and speculative types. Usually, the identification of a risk as either speculative or permanent reflects the organization’s risk appetite.
Risk management plans generally have four, linked, objectives. These are to:
1. eliminate risks;
2. reduce those that can’t be eliminated to ‘acceptable’ levels; and then to either
3. live with them, exercising carefully the controls that keep them ‘acceptable’; or
4. transfer them, by means of insurance, to some other organization.
Pure, permanent risks are usually identifiable in economic terms; they have a financially measurable potential impact upon the assets of the organization. Risk management strategies are usually therefore based on an assessment of the economic benefits that the organization can derive from an investment in a particular control; in other words, for every control that the organization might implement, the calculation would be that the cost of implementation should be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation. The organization should define its criteria for accepting risks (for example, it might say that it will accept any risk whose economic impact is less than the cost of controlling it) and for controlling risks (for example, it might say that any risk that has both a high likelihood and a high impact must be controlled to an identified level, or threshold).
Risk Assessment
A systematic approach to risk assessment should take into account business, legal and regulatory requirements placed on the business. In other words, it must be business-driven. This is one of the most important ideas in information security: the business, managed by its board of directors, should identify the threats to assets, vulnerabilities and impacts on the organization and should determine the degree of risk that it is prepared to accept – in the light of its business model, business strategy and investment criteria. Risk assessment is a ‘systematic study of assets, threats, vulnerabilities and impacts to assess the probability and consequences of risks’39 or, in our terms, the systematic and methodical consideration of:
1. the business harm likely to result from a range of business failures, and
2. the realistic likelihood of such failures occurring.
Guideline for Directors: the risk assessment should be a formal process. In other words, the process should be planned and the input data, its analysis and the results should all be recorded. ‘Formal’ does not mean that technical risk assessment tools must be used although, in more complex situations, they may improve the process and add significant value. The complexity of the risk assessment will depend on the complexity of the organization and of the risks under review. The techniques employed to carry it out should be consistent with this complexity and the level of assurance required by the board.
Qualitative risk analysis is by far the most widely used approach. Risk analysis is a subjective exercise in any environment where returns are derived from taking risks – and it is preferable to be ‘approximately correct, rather than precisely wrong.’ All individual
inputs into the analysis will reflect individual prejudice, and so the process of information gathering should question inputs to establish what really is known – and what unknown. The process is as follows:
Controls
These are the countermeasures for risks. Apart from knowingly accepting risks that fall within the criteria of acceptability, or transferring the risk (through insurance) to others, there are four types of control:
1. Deterrent controls reduce the likelihood of a deliberate attack.
2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact.
3. Corrective controls reduce the effect of an attack.
4. Detective controls discover attacks and trigger preventative or corrective controls.
It is essential that any controls that are implemented are costeffective. The principle is that the cost of implementing and maintaining a control should be no greater than the cost of the impact. It is not possible to provide total security against every single risk; there is a trade-off that involves providing effective security against most risks.
Risk management
No organization, though, should invest in information security technology (hardware or software) or implement processes and procedures without having carried out an appropriate risk assessment which assures them that:
1. The proposed investment (the total cost of the control) is the same as or less than the cost of the identified event’s impact;
2. The risk classification takes into account its probability; and
3. The priority of the risk is appropriate – ie all the risks with higher prioritizations already been adequately controlled?
If the organization cannot satisfy itself that the proposed investment meets these criteria, it will be wasting money – and the time required to implement the control – while leaving itself open to more likely risks and, conceivably, with inadequate resources to respond to the more likely risk when it occurs. There is, in other words, a risk associated with not doing – and maintaining – an adequate risk assessment and risk management framework, and directors should carefully consider this risk (and their fiduciary duties) before proceeding without one.
Conclusions
Corporate governance requirements are converging rapidly throughout the OECD. Accounting and auditing standards are becoming internationalised. Yes, there will continue to be national variations and many countries (and industrial sectors) will continue fighting for dispensations from an increasingly global norm. But those companies that want easy access to the world’s largest capital markets will find that adoption of global best practice is an essential precursor. And in the information economy, explicit inclusion of IT governance within the overall corporate governance framework is best practice.
Risk management is a core board responsibility. In IT terms, the board has to consider both the day-to-day activities of the organization and the extraordinary events that will affect it. There are, for instance, specific risks to current information and steady-state systems that are different from those that relate to a specific business project, such as a new product launch, automation of a business process, a strategic diversification or an acquisition.
In just the same way as, when considering (for instance) a major outsourcing contract, the board will consider the risks around transfer of proprietary information, the transfer and disruption of human resources, the compliance and contract management challenges, and so on, so the board must consider, when dealing with an IT project, what the risks to the enterprise might be – from technology evolution through market change to management incapacity – before embarking on the project.
Guideline for Directors: insist that risk assessment is a standard, pro-active component of board thinking on every issue and that the board’s appetite for, and criteria about, risk are clearly understood and transparent throughout the organization.