Management System for Records ISO 30300:2011

King III states that:

The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy.

The new ISO standards will help organizations to apply this principle and disclose corporate information quickly and effectively.

Here is the official ISO press release: Official ISO30300 Press Release

The standards are titled ‘management system for records’ (MSR) standards.

• ISO 30300 Management system for records – Fundamentals and vocabulary
• ISO 30301 Management system for records – Requirements.

These standards:

> Include experience gained in the implementation of the 10 year old, ISO15489, Information and documentation – Records management standard; and

> Are compatible with and complementary to other standards, such as ISO 9001 (quality management), ISO 14001 (environmental management), and ISO/IEC 27001 (information security management).

What is the difference between a ‘management system for records’ and a ‘records system’?

A ‘management system for records’ is the management system to direct and control an organization with regard to records.

It focuses on controlling the organization.

A ‘records system’ is an information system which captures, manages and provides access to records over time.

It is usually a combination of people, processes, tools and technology specifically to control records.

What is the relationship between ISO30300 and ISO 15489?

ISO 30300

Is high level, aimed at the controls and processes for managing the organization and establishing the strategic framework for good records management, e.g. policy, leadership, planning, monitoring etc.

ISO 15489

Is aimed at the operational aspects of records management – focussed on the controls and processes for managing records. ISO 15489 stands as the foundation standard for use by records management practitioners as the statement of principles and operational processes and controls for records.

Why a Management System for Records?

Information Management – Managing records using a standard

supports cost-effective operational processes, such as storage, information retrieval, information re-use, litigation and due diligence, say Ellis and Bustelo, leaders of the working groups that developed the standards

Records are integral to any organization’s activities, processes and systems.

Solid records management:

• Enables management efficiency, accountability, risk management and business continuity;
• Empowers organizations to capitalize on the value of their information resources as business, commercial and knowledge assets; and
• Contributes to the preservation of organizational memory, in response to the challenges of the global and digital environment.

Why an ISO standard?

The standards are an organization-wide, strategic approach to providing the right framework, based on international best practice.

A ‘management system’ is ‘framework of policies, procedures, guidelines and associated resources to achieve the objectives of the organization’ [ISO/IEC 27000:2009(E), definition 2.26]

A ‘management system for records’ is the management system to direct and control an organization with regard to records. [ISO/DIS 30300, 3.4.2]

Who will use the standards?

The standards are intended for organizations of all types and sizes, or group of organizations with shared business processes.

These standards are primarily aimed at management – at all levels.

The standards are also useful for auditors, risk managers and others who have an interest in evidence-based decision-making and collaboration, accountability and transparency of business, and sound business management.

What are the benefits of using standards?

> Legal compliance and protection, including support for litigation or due diligence.

> Ability to meet regulatory requirements, including

- accountability, ethical and corporate governance requirements;

- regulatory compliance;

- financial and practice audits

> More sustainable and greater consistency of service provision based on authentic, reliable and usable information

> Facilitates a common language across an organisation, for articulating common principles, minimum benchmark criteria and best practice.  (King III: “The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language.”)

> Enables a coordinated and consistent approach to establishing policy, objectives, targets and implementation techniques across an organisation; thereby minimizing duplication, redundancy, and incompatible processes

> Support of risk management, including:

- Privacy (King III: “The board should ensure that all personal information is treated by the company as an important business asset and is identified“);

- Security (King III: “The board should ensure that there are systems in place for the management of information which should include information security“)

- Reputation Management (King III: “The board should appreciate that stakeholders’ perceptions affect the company’s reputation“);

- Business Continuity planning and implementation (King III: “Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery.”)

> Ability to set and assess performance measures for the use of commercial service providers, and for inclusion in commercial contracts

> Integrated use of standards has the benefit of eliminating redundancy, establishing consistency, optimizing processes and resources, consolidating assessments, reducing maintenance and improving decision making

What terminology is introduced?

The main change is the definition for ‘records’.

In ISO 15489 it is:

Information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business

In ISO 30300 it is:

Information created, received, and maintained as evidence and /or as an asset by an organization or person, in pursuance of legal obligations or in the transaction of business or for its purposes, regardless of medium, form or format.

The task of defining terms in international standards is difficult and requires compromise to reach across jurisdictional and language barriers.

The definition used in ISO 30300 has been expanded to address specific issues:

One issue is that in several member countries the word ‘evidence’ refers only to information presented to a court.

• This is too narrow for the definition of records.
• In the new text (ISO 30300) ‘evidence’ refers to ‘documentation of a transaction, proof of a business transaction which can be shown to have been created in the normal course of business activity and which is inviolate and complete.
• Not limited to the legal sense of the term’.

Another issue is the idea of managing records as asset. ‘Asset’ refers to anything that has value to the organization, e.g. information, software, physical, services, people, and intangibles [ISO/IEC 27000: 2009, definition 2.3].

Also, it was agreed to refer to the organization’s purposes without limiting them but making it clear that ‘records’ are kept for a reason, not merely accumulated by default.

Finally it was agreed that it was needed to state that the medium, format or form of a record was not limited, so everyone understood it included paper-based and electronic formats, or other media.

Why are records managed as assets?

There is a strong need to identify ‘records’ as ‘valuable’ to organizations without falling into the difficulty of quantifying or defining value.

It was agreed to use the word ‘asset’ to reflect that requirement.

The inclusion of ‘asset’ is considered important for top management – who should be concerned about evidence-based governance, capacity building, sustainable development and value added business process.

Records are agreed as assets and valuable to business for the following reasons:

• Strategy, including effective conduct of business through:

o informed decision-making;

o performance management;

o productivity improvement;

o consistency, continuity and quality assurance in management and operations

• Operations, including responsive and accurate service delivery, resource management and cost control

• Regulatory compliance, and legal protection and support

• Accountability, corporate governance, financial and practice audits

• Risk management, including security, reputation management, business continuity planning and implementation

• Ethics, including openness, trust and meeting expectations of external stakeholders

• Corporate memory, including innovation through capture and reuse of organizational knowledge, and use of strategic knowledge to support business.

Where can one get the standards?

You can buy them from ISO

What else is in development?

Two new products are under development:

> Management System for Records – Guidelines for Implementation

These are guidelines for implementing an MSR.

> Management system for records – Requirements for bodies providing audit and certification

This contains the requirements for independent bodies providing audit and certification of an organization’s MSR.

The above was sourced from the ISO release: ISO TC46 SC11 FREQUENTLY ASKED QUESTIONS

Contact us to find out more 

IT projects are now so big, and they touch so many aspects of an organization.

Mismanaged IT projects routinely cost the jobs of top managers and have sunk whole corporations.

We have also seen many South African cities and government departments in peril due to  IT project disasters.

It will be no surprise if a large, established company fails in the coming years because of an out-of-control IT project.

In fact, the following data suggests that one or more will.

King III, Chapter 5

“The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects.”

Directors need to take “due care” when directing such projects in their organisation.

Reasearch

Bent Flyvbjerg (BT Professor and founding chair of major programme management at Oxford University’s Saïd Business School) and Alexander Budzier (a consultant at McKinsey & Co. and doctoral candidate at Saïd), examined 1,471 projects, comparing their budgets and estimated performance benefits with the actual costs and results.

They included many types of systems, from enterprise resource planning to management information and customer relationship management systems.

Most incurred high expenses—the average cost was $167 million, the largest $33 billion—and many were expected to take several years.

Black Swans

The average IT project overrun was 27% but 67% of the projects studied was a black swan

• A cost overrun on average was 200%
• A schedule overrun of almost 70%.

This highlights the true pitfall of IT change initiatives:

It’s not that they’re particularly prone to high cost overruns on average, as management consultants and academic studies have previously suggested.

It’s that an unusually large proportion of them incur massive overages—that is, there are a disproportionate number of black swans.

By focusing on averages instead of the more damaging outliers, most managers and consultants have been missing the real problem.

Avoiding Black Swans

Flyvbjerg and Budzier advise leaders to:

1. Ask two key questions

1. Is the company strong enough to absorb the hit if its biggest technology project goes over budget by 400% or more and if only 25% to 50% of the projected benefits are realized?
2. Can the company take the hit if 15% of its medium-sized tech projects (not the ones that get all the executive attention but the secondary ones that are often overlooked) exceed cost estimates by 200%?

“These numbers may seem comfortably improbable, but, as our research shows, they apply with uncomfortable frequency.”

2. Break big projects down into ones of limited size, complexity, and duration;

3. Recognize and make contingency plans to deal with unavoidable risks; and

4. Use the best possible forecasting techniques, for example, “reference class forecasting,”. This is a method based on the Nobel Prize–winning work of Daniel Kahneman and Amos Tversky. These techniques are widely used in business, government, and consulting and have become mandatory for big public projects in the UK and Denmark.

As companies become even more reliant on technolgy, periodic overhauls of existing systems are inevitable. The risks involved can be profound, and avoiding them requires careful attention.

 This blog was based on an article by Bent Flyvbjerg and Alexander Budzier.

GovN provides you with what you need to address King III

Take the first step – contact us today!

Today “Social Media” such as Facebook, Twitter, LinkedIn and Google  is considered an IT (information technology) issue.  King III states that the board is responsible for ensuring that an organisation has suitable policies to address IT.  Therefore, by implication, the board is responsible for ensuring that a suitable policy is in place to address social media.

Labour Law was created prior to the age of Facebook, Twitter and Google (mail, buzz, plus).  Organizational labour practices have been filling in the blanks since, but the risk remains.  As more cases related to social media are decided, so social media practices will continue to change and so will the risks associated with them.

In the meantime, what steps should the board take to reduce the chances of becoming embroiled in a dispute with employees about the use of social media?

1. Become familiar with case developments

In the US,

Two recent reports show that social media is having an impact on labor practices.

1. On Aug. 5, the U.S. Chamber of Commerce issued a survey of more than 100 cases related to social media and the workplace that were filed within the past 18 to 20 months with the National Labor Relations Board (NLRB).
2. Two weeks later, the acting general counsel of the NLRB released a report that described recent case developments related to the use of social media and employers’ policies.

Among the cases discussed in the NLRB report, which was issued Aug. 18, are:

• Four cases involving employees using Facebook that found that the employees’ activity was “protected” and “concerted” because they were discussing terms and conditions of employment with fellow employees;
• Five cases involving Facebook or Twitter posts by employees in which the activity was determined to be unprotected under the US National Labor Relations Act (NLRA), which applies to both unionized and nonunionized employees and prohibits employers from committing unfair labor practices; and
• Five cases in which some provisions of employers’ social media policies were found to be overly broad, potentially prohibiting Section 7 activity.

This information was provided by Raj Chaudhary. He can be contacted at raj.chaudhary@crowehorwath.com.

In South Africa,

Several law firms also post relevant updates on their websites.

The CCMA (The Commission for Conciliation, Mediation and Arbitration) is a source of important information. An email (CCMAil) is distributed quarterly. For a subscription, contact HO@CCMA.org.za

1. The CCMA made an important decision about employee’s rights to privacy on webmail services, like Gmail.  The decision is reported under Smith and Partners in Sexual Health (Non-Profit) CCMA (WECT 13711-10).
2. The CCMA made an important decision regarding Facebook. The decision is reported under Sedick & Another and Krisray (Pty) Ltd (2011) (32 ILJ 752). 

2. Understand the benefits and the risks

In the connected world organisations participate in today, it is extremely important that such channels are not closed to employees, they must just be effectively managed.

Social Media brings with it many viable cost reduction benefits such as those for: recruitment, information, communication and disclosure.

The Kelly Global Workforce Index 2011 revealed that 29% of respondents secured their most recent position through word-of-mouth referrals, followed by recruitment firms (26%), direct approaches from employers (20%), print advertisements (10%), online job postings (8%), other methods (5%) and social media sites (1%).

The board should ensure that the company is actively participating and able to participate in the benefits Social Media brings. King III states that the board should:

ensure that there is a process in place to identify and exploit opportunities to improve the performance and sustainability of the company through the use of IT.

However, with improved communication comes also comes increased risk:

The board must ensure that the Chief Executive Officer is able to:

1. Articulate the risks faced by the company (labour, information security etc) to completion / exhaustion;
2. Demonstrate how the risks are being mitigated;
3. Present the contingecy plans.

3. Implement solid policies

King III states that the board should be ensuring that “an IT charter and policies are established and implemented.”

The law firm, Webber Wentzel, posted the following on their website:

“In light of the legal concerns that an employer may be faced with, coupled with the potential commercial impact of an employee’s use of social networking platforms, employers would be well advised to have a specific policy in place regulating the use of social networking platforms and social media. Such a policy should include (in no particular order):

• when the employee may access social networking platforms;
• if, and to what extent, the employee is entitled to access social networking platforms on electronic devices provided solely for business purposes (for example, a smartphone or iPad);
  general rules of social networking “etiquette” – especially when discussing the employer, other employees, clients or suppliers of the employer (as well as any competitors of the employer); and
• how the employee’s duty of good faith extends to his or her behaviour on social networking platforms.”

4. Educate

The board must ensure that their position on social media is well communicated.

This communication should include all stakeholders:

• Employees: Management must ensure that employees are aware of the organization’s social media strategy and policies and trained according to the mitigation plans.
• Suppliers: Organizations or individuals providing services and products to the organisation should be in no doubt as to the organisation’s position on the use of social media – the organisation’s strategy to both leverage and manage the channel. Suppliers should also be made aware of how they can participate in this channel with the organisation.
• Regulators: With the speed and breadth of communication made available by the social media channel, it is important that the organisation’s regulators responses are managed. It is in the organisation’s interest to communicate with pertinent regulators and develop a method of response in the event that a detrimental message is received through the social media.
• Community: Shakespear portrays the position well in his play “Julius Caesar”. In Act III, scene ii:

The scene revolves round two speeches, one by Brutus and the other by Mark Antony.  Both are made to the citizens of Rome who are fickle and can be easily swayed. Whereas Brutus’ speech written in prose is crude, does appeal to the rabble, Mark Antony’s speech is eloquent and inspirational, and quickly wins them back.  Brutus has to struggle with his audience to obtain their attention, whereas Mark Antony immediately gets their attention by entering carrying Caesar’s body.

No community has been found to be as fickle as that of the social media community.

The board must ensure that the organisations position on the use of social media is clear.

Directors can minimize personal liability by using GovN

Contact us to find out how

King III, the code of governance for South Africa, says that “the board should ensure that a framework and processes are in place to anticipate unpredictable risks.”

When the board delegates the authority to management to put this “framework” and these “processes” in place, what is the board expecting from management?

A number of unexpected catastrophes and shortages have dominated headlines this year. These events have been typical examples of the kinds of high-magnitude, low-frequency upheavals that Nassim Nicholas Taleb labeled black swans.

The Black Swan: The Impact of the Highly Improbable (Random House, 2007)

Taleb defines a black swan as: an event with the following three attributes.

• First, it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility.
• Second, it carries an extreme impact….
• Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.

Individual black swan events are impossible to predict, but they regularly occur and have a tremendous impact.

Some observers argue that the frequency of these events is increasing; others say global communication networks have simply made us more aware of them than we were in the past. In any case, with the rise of global business, it is likely that black swans carry increased risks for your company.

Are existing Risk Management Frameworks and processes the solution?

Typically management responds by using the existing Risk Management Framework and processes, but is this enough?

Existing Risk Management Frameworks and processes are used to:

1. Are used to Identify potential business disruptions, map out their most likely effects, and develop mitigation plans and preventive actions to reduce the risk exposures;
2. Are used to focus on the most frequently encountered risks – such as whether the enterprise is complying with regulations, suitably accounting for its activities, and operating in an ethical and legal manner;
3. Are resourced to provide the capacity to address these most pressing risks.

Existing Risk Management Frameworks and processes are not geared to also monitor high-magnitude, low-frequency “disrupters” on a continuous or regular basis.

The resources required to monitor for Black Swans cannot be justified in the normal course of business, so what can be justified? One possible solution to this conundrum is disrupter analysis.

Disrupter Analysis

Disrupter analysis does not seek to predict black swans and is not meant to replace existing the existing Risk Management framework and processes. Disrupter analysis compliments the existing risk management solution.

Disrupter analysis is designed to periodically administer a stress test in order to assess its ability to withstand black swans.

The analysis is typically conducted by a separate, temporary team, working in conjunction with the existing risk management resources.

It consists of a four-step process:

1. Map the company using a number of factors:

•  Geographic footprint
• Composition and construction of the supply chain, channel partners and customers – looking beyond first-order relationships
• Sources and concentrations of revenue, profit, and capital
• Go-to-market activities — including the business’s products, services, channels, and customers
• Industry structure and competitive dynamics, as well as the company’s position in both

2. Create a disrupter list, casting the net as wide as possible

• Catalogue possible catastrophic environmental, economic, political, societal, and technological events
• Categorize the events by the type of impact they might have on the business
• Limit the list to “catastrophes” – those events which encapsulate the black swan events that could threaten the company

3. Ask “what if” and determine the relative impact and consequences of a given catastrophe.

4. Design contingency plans. Typically, the analysis team generates mitigation options for each major “what if” insight. It looks for options that address multiple risks, and prioritizes them by the magnitude of risk exposure as well as the expense and ease of implementation.

No company can be completely prepared for every possible black swan event, but management can complement the day-to-day risk management with periodic disrupter analyses. These analyses can ensure that the com­pany has adequately focused its attention on high-magnitude, low-frequency events and prepare itself for unexpected catastrophes.

GovN assists directors to apply the principles of King III

Contact us today

This post was based on an article by Matthew Le Merle. Matthew is a partner with Booz & Company based in San Francisco.

King III states that a board should disclose how it “discharged its responsibility to establish an effective compliance framework and processes.”

Enterprise Content Management is a disruptive technology for the compliance framework and processes and boards must take note when it is introduced to an organisation.

ECM software creates great opportunities for compliance functions, but it can also come with great risk.

When an organisation adopts to follow an ECM strategy, the organisation’s is committing to the strategic intent to automate the management of all unstructured data.

This is good news for the compliance function as the compliance operation can be improved for zero cost.

But beware!

That attractive, seductive ECM programme may just subsumed the organisation’s core compliance requirements.

Directors, take heed and secure key agreements with executive management.

1. Make it policy

Certain sub-componants of ECM, like Web content management and document-centric collaboration, are very seductive. These are the shiny baubles that probably caught executive management’s attention at the start.

• The programme risk log should explicitly include the risk of a breach of the company’s compliance policy. Get agreement, up front, that compliance cannot be even slightly compromised.

• The programme objectives must have been established. Agreements should have been documented for what the solution must do, and what it must have. Maintaining the current performance levels of compliance functions such as document and records management should be included in the category of “musts.”

• The programme business case should be sound, especially with respect to compliance related functionality. The organisation cannot afford to implement ECM only to have to invest additionally to resolve compliance requirements.

2. Keep it real

Some things aren’t as they seem. Flashy marketing brochures for enterprise-class software are notorious for being misleading, and ECM is no exception.

The board should ensure that:

• Before any commitment is made, a thorough proof of concept has been demonstrated , and
• Before the implementation is accepted, extensive testing has been completed. Acceptance tests must ensure that the compliance functions and current levels of performance are baselined for these acceptance tests.

3. Ensure it is sustainable

The board should consider the parallel execution of the new ECM solution and the existing one - for one full year.

Compliance has a seasonal component, the new ECM solution must be able to address the compliance demand all year long, not just in the month of its deployment (which might carry a relatively light compliance demand).

This type of implementation is expensive, but it’s even more expensive to undo an inadequate implementation under the realization, several months later, that compliance has been compromised.

4. Ensure it adds value

ECM solutions have wonderful functionality – ensure that this is utilized to improve the compliance function effectiveness.

• Workflow is a great place to start, especially if all the compliance and audit processes are currently manual.
• Document-centric collaboration – tools to collaborate on document creation. Considering compliance documents such as policies and audit documents – collaboration functionality can greatly increase inclusion and feedback from the right people. Cross-functional stakeholder concerns around compliance can be addressed in near-real time.
• Web content management can be a great addition for the compliance function. For example, in the case of litigation holds. Litigation holds can be placed on web content such that it is secured and additions, deletions or changes disallowed.
• E-discovery is another compliance function which can be incorporated into any ECM implementation programme.

Enterprise Content Management is alluring, seductive and sometimes fatal to the compliance function.

The board must act with due care to ensure that this fate is avoided.

Does your compliance policy talk to the next generation’?

Keeping it real with GovN

Contact us to find out more…

This blog was based in part on an article by John Weathington, president and CEO of Excellent Management Systems Inc.  For more information go to www.excellentmanagementsystems.com

The term seems  to have been weakened to the point where it means something different to everyone who encounters it.

Here are some useful definitions:

King III:

Sustainability of a company means conducting operations in a manner that meets existing needs without compromising the ability of future generations to meet their needs. It means having regard to the impact that the business operations have on the economic life of the community in which it operated. Sustainability includes environmental, social and governance issues.

Sustainability South Africa (www.sustainabilitysa.org):

 (This is a South African Institute of Chartered Accountants, SAICA, initiative)

 It’s impossible to separate the issue of environmental sustainability from those of social and economic development.

Johannesburg Stock Exchange Social Responsibility Index Criteria:

Companies are assessed against Criteria across the triple bottom line (environment, society and economy) as well as governance (forming the foundation of the triple bottom line pillars). Within each area of measurement, companies are assessed based on policy, management / performance and reporting.

The criteria retains the triple bottom line philosophy, but the indicators are structured along ESG lines (Environment, Society, and Governance), in keeping with the framework promoted by the UN Principles for Responsible Investment.

Dow Jones Sustainability Index:

Corporate Sustainability is a business approach that creates long term shareholder value by embracing opportunities and managing risks deriving from economic, environmental and social developments.

Information Systems Audit and Control Association (ISACA):

Produced a white paper that identifies four forces driving IT action:

1. Economics (cost)
2. Environmental concerns
3. Social responsibility
4. Legislation/regulations

The Brundtland Commission (The 1987 report of the World Commission on Environment and Development):

International Federation of Accountants (IFAC, www.ifac.org):

Sustainability has three important dimensions for all organizations: (a) economic viability, (b) social responsibility, and (c) environmental responsibility.

Although trade-offs can occur between these dimensions, generally being socially responsible (towards employees, communities, and other stakeholders), and environmentally responsible, lead to enhanced trust, and, therefore, makes good business sense.

Global Reporting Initiative Vision (GRI, www.globalreporting.org):

A sustainable global economy where organizations manage their economic, environmental, social and governance performance and impacts responsibly, and report transparently.

The common thread is stewardship, or a responsibility to preserve options for the future through responsible action today.

• Environment, society and the economy
• People, planet and profits

Ford Motor Company:

For us, sustainability in its broadest sense is about economic sustainability. It’s not just about sustainability for environmental reasons — if you don’t have a sustainable business model, none of the rest matters. Bill Ford

GovN provides theory and templates to support your corporate citizenship governance

Contact us to find out more…

King III, Chapter 6, Compliance with laws, rules, codes and standards, states that

Management should establish the appropriate structures, educate and train, and communicate and measure key performance indicators relevant to compliance.

One of the new areas of best practice compliance programs is engaging nonlegal and noncompliance department employees in the roles of “Compliance Champions”.

• This leverages resources and expands the compliance footprint in the workforce, and
• Fosters an environment more committed to compliance through informal participation.

One of the goals of such a program is to train such employees to be first line compliance support on the ground:

• To respond to routine queries; and
• To alert the right people should an issue need to be escalated.

An article in the September issue of the Harvard Business Review entitled “Smart Rules: Six Ways to Get People to Solve Problems Without You” by Yves Morieux, provides “smart rules” which can assist the transition of an employee into a Compliance Champion.

Rule 1 – Improve Understanding of What Co-Workers Do

Ensure that the Compliance Champion understands what is being asked of them, the goals and challenges they are expected to meet, and the constraints under which they operate within their role as Compliance Champion.

Rule 2 – Reinforce People Who Are Integrators

One of the key roles that a Compliance Champion can fulfill is interacting with multiple stakeholders. As a business unit representative, oftentimes the Compliance Champion can obtain cooperation more quickly and at a greater frequency than a more formal compliance officer or compliance department approach.

Rule 3 – Expand the Amount of Power Available

The Compliance Champion role must be created without taking power away from others within the company. The Compliance Champions should have new and different responsibilities from others within the organization.

Rule 4 – Increase the Need for Reciprocity

Morieux defines this rule as expanding “the responsibilities of integrators beyond the activities over which they have direct control.”

Challenge the Compliance Champions to negotiate and make trade-offs rather than simply avoid issues. Expanding the goals of the Compliance Champions, encourages cooperation with the business unit.

Rule 5 – Make the Employees Feel the Shadow of the Future

Morieux posits that the longer that “it takes for the consequences of a decision to take effect, the more difficult it is to hold a decision maker accountable.”

Compliance Champions need to see that there will be consequences to their actions such as reduced lead times on projects involving Compliance Champions or regular review of measurable performance outputs. The Compliance Champion must feel that their work is real and relevant.

Rule 6 – Put the Blame on the Uncooperative

There must be accountability for those who fail to cooperate. This can be done through performance penalties. But this means more than simply sanctioning the Compliance Champion. Once there is a communication of a problem, such as the business unit failing to provide information required by the Compliance Champion to complete their assigned task, then the business unit personnel involved also need to have some type of sanction as well.

Use GovN to address your compliance governance

Don’t delay, comply today !

This blog is based on an article by Thomas Fox who can be contacted at www.tfoxlaw.com.

The financial crisis of 2008 exposed a multitude of risk management failures.

• Risks were ignored, misjudged or misrepresented.
• Rosy scenarios and perverse incentives created risks that were catastrophic!

Where does director responsibility for their company’s risk management begin and end?

King III is quite clear:

“The board should be responsible for the governance of risk” and ”Management is accountable for integrating risk in the day-to-day activities of the company.”

Where the board’s responsibility for risk management begins is clear – the board must insist that management create and maintain a strong risk management culture throughout the company.

Without a strong risk management culture, no amount of investment in risk information, risk analytics, risk experts or compliance systems will protect a company from potential disaster or from missed opportunities for growth.

A Strong Risk Management Culture is a “Mission Critical” Compliance Issue for Corporate Boards, says Dan Borge, director in the FTI Consulting Forensic and Litigation Consulting practice

In a strong risk management culture, people make better risk decisions because they have the capability and desire to do so.

A strong risk management culture displays the values, behaviors and capabilities that are necessary for effective risk management:

• Vigilance – Being alert to emerging threats and opportunities
• Agility – Deciding and acting in time
• Collaboration – Being able to work together effectively on risk issues
• Communication – Sharing information and ideas about risks
• Discipline – Knowing and doing what is right from a risk perspective
• Talent – Attracting and motivating people who have the necessary risk knowledge and skills
• Leadership – Inspiring, supporting, practicing and rewarding good risk management

Leadership requires clear statements of values and objectives and a sustained commitment that leads to substantial changes in how the company does business.

The risk management culture should be embedded not only in risk-monitoring and compliance systems, but also in business decision-making and incentive systems.

Compliance functions cannot, by themselves, impose a strong risk management culture on a reluctant organization.

But compliance functions can play a crucial role in helping the board monitor and evaluate the performance of management in building sound risk management practices throughout the company.

Many attributes of a strong risk management culture are readily observable and should be monitored by the board with assistance and independent advice from compliance and risk functions.

It is critical that the board look for these attributes in the company’s culture, identify weaknesses and ensure that management is accountable for correcting them. In these volatile times, building a strong risk management culture is a mission-critical priority for the board.

Implement a strong risk governance foundation with GovN !

Do you want to know more? Contact Us :

This blog was based on an article by Dan Borge of FTI Consulting, Inc. Contact Dan at Dan.Borge@fticonsulting.com.

2011 AGM Shareholder Meeting Trends

The Annual General Meeting, AGM, is in general poorly attended.

King III, The Code of Corporate Governance for South Africa specifically addresses this by stating as a principle in Chapter 8, that

The board should encourage shareholders to attend AGM’s.

A recent report from BNY Mellon Shareowner Services shows that in the US, shareholder meetings are getting even shorter and less elaborate.

Of the 500 companies sampled, by far the most hold their meetings in their company offices !

• 94 % in 2011, as opposed to the mere 53% in 2010,
• 60 % of these offering no refreshments or serving just beverages.

The duration of the AGM has also been trimmed this year.

• 72 % were less than one hour,
• The other 28 % were concluded in two hours or less.

At the same time, shareholders attendance in those meetings continues to decline.

• 47 % allowed only shareholders to attend the meeting, and
• 15 % allowed one accompanying guest.
• 38 % still allow shareholders to bring an unlimited number of guests to the meetings.

It appears that fewer companies are using the meeting as a marketing or public relations tool, and fewer shareholders are making the effort to attend the annual meeting

Speculation is that the meetings will be replace by shareholder forums.

BNY Mellon says that these trends lead to speculation that required in-person meetings may eventually be replaced by forums.

The communication probably in the form of audio broadcast and Webcasts for shareholders to attend meetings virtually.

The Fifth Analyst Call for CORPORATE GOVERNANCE

A controversial request by some investors in the US was for companies to put in place “The Fifth Analyst Call” on corporate governance.

Investors want companies to arrange conference calls that focus on corporate governance, allowing them direct access to have discussions with analysts about company strategy and financial performance at every quarter.

There are 2 concerns with this:

1. Possible violation of regulation, which requires public disclosure of all information specific to the trading of companies’ securities whenever there are discussions on the subject.
2. The “by invitation” meeting chaired by an investor and with director participation could result in discussions other than on corporate governance issues and into areas which may violate securities regulations.

You can rely on GovN to address your AGM corporate governance requirements

The Committee of Sponsoring Organizations (COSO) has released two guides to assist companies with implementing risk management and an enterprise risk management (ERM) process. These are particularly helpful for organisations such as those striving to apply the King III risk governance principles.

King III, the code of corporate governance for South Africa, 2008, has as a principle that management are delegated to by the board to “design, implement and monitor” a risk management plan. This plan is to be enterprise wide and entrenched in the daily operations of the organisation.

Report 1

Embracing Enterprise Risk Management: Practice Approaches for Getting Started

This guide provided ways in which companies, especially smaller ones, could move from an informal / “gut-feel” risk-management approach to a full ERM process.

The guide provides “specific, tangible actions that organizations can use to get started.”

There are 3 sections to the guide.

Section 1 of the guide, “keys to success”, has 7 themes to guide the development of formal risk management. These include focussing on the smallest number of top risks, leveraging off existing resources and embedding risk management in the “fabric of the business”.

Section 2 covers “initial action steps”, which are intended to support development of an ERM initiative:

1. Seek board and top management leadership, involvement and oversight;
2. Select a strong leader for the ERM initiative;
3. Establish a risk committee or working group;
4. Conduct an enterprise-wide risk assessment and develop a related action plan;
5. Create an inventory of existing risk-management practices;
6. Develop a communication and reporting process; and
7. Plan the next phase of action and communication.

Section 3 focuses on continuing the ERM process.

The idea of focusing attention on a small number of “top risks” and building on them can be helpful in focusing attention on how risks are identified, analyzed, and responded to within a company.

The guide offers two important points about risk analysis.

Point 1. Risk Velocity: the speed at which a risk event can come at a company, or more precisely, the time between occurrence of a risk event and its impact.

Point 2: The company’s readiness to respond to a risk event when it does occur.

Report 2

Developing Key Risk Indicators to Strengthen Enterprise Risk Management—How Key Risk Indicators Can Sharpen Focus on Emerging Risk

This report provides guidance on how to develop and use Key Risk Indicators (KRI).  Several examples of forward-looking key risk indicators are included in the report.

Common key performance indicators for customer credit may include data about customer delinquencies and write-offs.  KRIs, rather would indicate future collection issues. These KRIs could indicate emerging customer trends and use information such as the reported financial results of a company’s 25 largest customers, or the general collection challenges throughout the industry.

KRIs enable management to deal with risk events more quickly and enable management to adjust inputs such as marketing and promotion events to reduce the impact of the risk.

The guide indicates that there is a close relationship between the KRI and the risk and that the accuracy of information used are both critical.

With KRIs gaining recognition as important elements of enterprise risk management. This COSO report provides usable guidance.

Implement COSO the easy way, with GovN

Contact us now and find out how

This blog is based on a report by Rick Steinberg, who can be contacted at rms@complianceweek.com.