|
On Target April - May 2007
Snapshots” Series……
On Target concludes its series of Snapshots on a particular theme over many issues.
Communication Channels in ERM – A Management Accounting Perspective
There must be effective communication channels linking the ‘risk owners’. This is critical to successful ERM and governance. The Chief Risk Officer (CRO), ideally a management accounting qualified person, can facilitate effective two-way communication between: (1) the board and senior management, (2) senior management and risk owners, (3) management and auditors, (4) internal and external auditors, and (5) auditors and the board. Ultimately, the company is responsible to its stakeholders, and, accordingly, should communicate relevant risk management, control, and governance information to them.
Ideally, ERM and governance responsibilities of the board and its committees are clearly articulated in charters and shared with senior management. Often, this downward communication is via the CRO. Specific ERM and governance information that the board, via the CRO should communicate downward to risk owners includes:
· A written code of conduct that articulates the company's ethical principles and specific rules of conduct;
· A written risk management framework that conveys senior management's risk management philosophy, policies, strategies, and procedures; and
· Risk management authority, tolerance thresholds, and performance metrics for individual risk owners.
Relevant and reliable upward communication from risk owners to the board is also imperative to effective ERM and governance. Often an organisation’s internal audit function assists risk owners in preparing the risk management plans they present to the CRO (or the executive risk committee) who then communicates key aspects of this to the board. General Motors, for example, has managers report on the effectiveness of their risk management (Barton, et.al., 2002).
The specific information that risk owners should communicate upward to the CRO and the board includes:
· Written assertions regarding compliance with the company's code of conduct,
· Risk and control assessments,
· Risk management plans, and
· ERM performance reports.
With regards to communications between management and auditors, a clear understanding must be reached, preferably in writing, regarding specific assurance services to be provided. This not only applies to external auditors, but also internal auditors. Whilst external auditors are encouraged by their professional standards to specify their contractual obligations to clients in engagement letters, the Institute of Internal Auditors’ Standards call for internal auditors to formally define their purpose, authority, and responsibility in a charter that is approved by the board of directors. The management accountant should act as the facilitator of this two way communication process to ensure that management provides adequate information to the auditors for the auditors to complete their work.
External auditors communicate to management any deficiencies in internal control over financial reporting uncovered during the course of their work. They communicate their findings to the board and external parties using financial accounting standards and assurance techniques. Whenever external auditors uncover evidence that fraud may exist, they are required by their professional standards to bring the matter to the attention of the board and ultimately to the shareholders.
Whenever internal auditors uncover evidence that fraud may exist, they are required to bring the matter to the attention of an appropriate level of management, often the CFO. However, the internal auditors' assurance reports are no longer limited to ensuring adequate financial controls within the transaction recording processes. These assurance reports could now include applicable conclusions and recommendations on strategic and ERM issues, and may include strategic action plans that require management agreement. Often conflict arises in this area as the conclusions, recommendations, and action plans are based on the auditors' evaluation of risk management performance, and could be very different from management’s perceptions. The CRO therefore needs to be an individual who not only has the authority, but also the technical ability to resolve such conflict, especially in the area of strategic recommendations.
The CRO should also facilitate the communication links between internal and external auditors, so that they share information with each other and coordinate assurance activities to ensure proper coverage and minimal duplication of efforts. Such sharing of information may involve periodic meetings, reviewing each other's working papers and reports, and discussing relevant issues of mutual interest as they arise.
Traditionally, there has been poor communications between board members and auditors, especially in companies that are controlled by autocratic CEOs and CFOs. Enron and WorldCom are classic examples. The CEO/CFO often acts as a gatekeeper/influencer in the audit process, with the board having very little access to the auditors. Since the tightening up of mandatory (SOX) and voluntary corporate governance requirements, certain categories of companies are required to establish ‘audit committees’ of the board of directors. Such a committee is set up to oversee the work of internal and external auditors, calling on them to provide independent assurance about the enterprises' risk management, control, and governance processes. As control and ERM fall very much in the area of management accounting, the CRO (management accountant) would be involved in the review the internal auditors' annual audit plan with the chief audit executive in relation to any strategic recommendations in the area. The financial accountant, n the other hand would be involved with the plans for auditing the company's financial statements and internal control over financial reporting with the external auditor.
Finally, the CRO should be involved in the communications of its ERM strategies to its external corporate stakeholders. Because stakeholders are the primary "customers" of the governance process, a company's governance responsibilities are not fulfilled until pertinent governance-related information is reported externally.
Such public disclosures are increasing. Some companies, such as General Motors and Shell Corporation, voluntarily publish corporate governance principles and guidelines. Stock exchanges in the U.K., Canada, and other countries require listed companies to disclose certain governance information. The Federal Deposit Insurance Corporation Act of 1991 requires large banks to issue management reports on the effectiveness of their controls over financial reporting and to obtain independent public accountants' opinions regarding management's assertions. The Sarbanes-Oxley Act of 2002 extends such requirements to all annual reports of publicly traded companies required by section 13(a) or 15(d) of the Securities Exchange Act of 1934.
Several organizations are putting pressure on companies to further expand and improve public disclosures of governance, risk management, and control information, among them the Institute of Internal Auditors and the National Association of Corporate Directors.
There are two downsides to this increasing pressure for more and more disclosure. One is that strategic competitive information may be available in the public domain. An enterprise should consider carefully what information it discloses as it may be disclosing its future. The second is the significant cost of putting into place such governance, assurance and reporting processes. The CFO magazine in September 2006 reported that General Electric estimated that their total cost to become SOX compliant was by cumulatively US$33 million. There are also significant on-going costs. For a large company the minimum cost of becoming SOX compliant was $500,000 for the first year and $300,000 for then on. These are significant costs having long-term impacts on company profitability. In organisations in which governance reporting is voluntary, the management accountant should ascertain the cost-benefit of installing these governance procedures.
BOOKSHELF
I hope you are pleased to be receiving the CFO journal with your On Target. I have been reading CFO for some time and always find something that makes me think or good examples of what is happening in the world of financial management. It is a sign of the times that the journal does not have ‘accountant’ in the title.
I recently pulled out some newspaper advertisements for ‘business analyst’ or similar jobs that made me think of the changed role of ‘management accountants’. These jobs wanted graduates with strong commercial skills able to think strategically and critically in a complex environment, to derive trends and forecasts, and to proactively support marketing and operating managers in the delivery of business plans aimed at profitable growth. Many did not specify CPA/CA or an accounting degree. I was left feeling that too many ‘accounting’ graduates are not qualified for what I would think would be interesting, rewarding work.
Do too many university leaders believe their own rhetoric that they are achieving great things educationally? Lots of research is showing that too many accounting graduates are only able to apply rules or standard formulas, just as a robot might. As the ICMA programs acknowledge, it is possible teach all the ‘accounting stuff’ to people with a non-accounting degree but with an ability to think for themselves and end up with professionals who can add much greater value to organisations.
Another journal that I like to keep up with is Sloan Management Review. The Fall 2006 issue has an article by McGrath, Kell and Tukiainen, “Extracting value from corporate venturing”. The writers argue that product innovation need not be tied to existing products, indeed that innovation in existing lines may be constrained by those with vested interests. The article provides the example of Nokia in their search for opportunities beyond their existing business.
- Bill Richardson
What’s On?
March 30 – April 1, 2007 Melbourne, Australia
Advanced Strategic Management Accounting, 1st Intensive Weekend Monash University
April 15 – 22, 2007 Mumbai, India
8th CMA Symposium on Advanced Management Accounting and Advanced Strategic Management Accounting conducted by First Canvas and D'Souza Financial Services, for CMAINDIA.
April 20, 2007 Port Moresby, Papua New Guinea
ICMA Graduation Ceremony - Asia Pacific Graduate School of Management. This ceremony will graduate 120 CMA, GMA, Advanced Diploma and CAT awardees.
April 27 - 29, 2007 Melbourne, Australia
Advanced Strategic Management Accounting, 2nd Intensive Weekend. Monash University
May 21 – May 29, 2007 Jakarta, Indonesia
Advanced Management Accounting and Advanced Strategic Management Accounting conducted by IPMI Graduate School of Management
June 11 - 19, 2007 Colombo, Sri Lanka
11th CMA Symposium on Advanced Management Accounting and Advanced Strategic Management Accounting conducted by the Institute of Chartered Accountants of Sri Lanka.
July 2-4, 2007, Toronto, Canada
Srategic Cost Management symposium conducted by AFMA.
July 7-10, 2007, Toronto, Canada
Strategic Business Analysis symposium conducted by AFMA.
July 28, 2007, Manila, Philippines
CMA Asia Management Accounting Conference
|
