The ICSA ANNUAL CONFERENCE 2016

International trends in corporate governance

2016 ICSA Annual Conference

Peter Turnbull

Director and Past President, Governance Institute of Australia

Non-Executive Director

© Governance Institute of Australia

Overview of Australian market (1)

Market:• 2,200 publically listed companies• Listed market capitalisation of circa A$1.5 trillion (interest rate derivatives

market is the largest in Asia at A$47 trillion)• Some 6.7 million individual shareholders (total population – 24 million)

Regulation:• Quite heavily regulated market – ASIC, APRA and ASX• Post-GFC regulatory over-reach evident in some areas• Some question the performance of ASIC the corporate regulator

Overview of Australian market (2)

Governance:• Good governance definitely matters in Australia• Companies with questionable governance are penalised – via share

price, media and/or ability to access to capital (and cost)• Regulators, proxy advisors, shareholder groups and media (including

social media) – are constantly watching and are quite influential• Management of reputation has become a much bigger issue• ASX Corporate Governance Guidelines have driven continuous

governance improvements since 2003 (“if not why not basis”)

Current ‘big picture’ issues in governance in Australia

1. Risk management especially ESG (environmental, social and governance) risks 2. Regulation – effectiveness and focus3. Board composition – diversity4. Superannuation governance5. AGM – role and renewal

1. Environmental, social and governance risks (ESG)

• A key issue is board oversight of risk management (beyond financial risk to ESG risks) – including cyber security and reputational risks

• Investors expect comfort through proper risk systems which are embedded in everyday life and enterprise wide

• Corporate sustainability and longer term performance is a key issue: especially for superannuation funds which is a long term investment markets are under pressure, so, there is heightened awareness that

sustainability and risk management are also key concepts to preserving and protecting capital

1. Environmental, social and governance risks (2)

• Financial risk is no longer the only performance measure• Proxy advisors and social media have heightened the call for greater

accountability and transparency – especially in relation to ESR risks

2. Regulator and corporate culture

• Confidence in the regulator is directly linked to confidence in the markets – possible significant change ahead for ASIC

• Questions over the performance of ASIC (Government capability review underway) – staffing of around 1,700 people and budget reductions

• Regulator seeking out bad corporate culture (financial institutions focus): sees it as an indicator of governance problems difficult concept – very hard to identify and regulate bad culture is a regulator equipped to identify bad culture?• Possible privatisation of the large ASIC registry business causing angst –

tied to the future funding of ASIC (user pays model?)

3. Board composition and diversity

• Board composition debate in Australia has been over-simplified (to almost a sole focus on diversity which is in turn taken to mean gender diversity)

• Board composition is about more than diversity• Diversity itself is about many things – ethnicity, experience, age, gender, personal

traits• 19% of ASX 200 board seats are occupied by female directors (16.5% 2014/15) –

12% have no female director• Australian boards would benefit from greater diversity including gender diversity –

it’s not just an ideal – it’s about profit – US studies have shown greater diversity (particularly gender) leads to financial outperformance in Fortune 500 companies

4. Superannuation governance

• Australia’s superannuation pool is circa A$2 trillion• Reform is required: governance of super funds has not kept up with general governance developments

and initiatives (not subject to the ASX Corporate Governance Guidelines – “if not, why not”)

superannuation fund boards lack diversity and in some cases commitment to contemporary governance standards – which is a key issue when the longer term management and protection of investors money is involved

union representatives are appointed to some super boards and can control 50% of board seats in some organisations

reform legislation (for 50% independent directors) is currently stuck in Parliament

5. AGM role and renewal

• Australia’s AGM format has not kept up (virtual AGM’s are rare – unlike in the US and New Zealand)

• AGM attendance is falling and shareholders are not getting the information and knowledge they need

• Australia has high levels of shareholder engagement but not via the AGM platform• Australian corporate legislation remains wired to a hard copy world• Reform is required and ideas being considered (or already underway) are: virtual interactive meetings full electronic delivery of papers possible separation of the meeting itself and voting direct voting

Changes in Corporate Governance – an introduction to King IV

By Jill ParrattSouth Africa

ACKNOWLEDGEMENT

The content in these slides have been extracted from the website of the Institute of Directors in Southern Africa (IoDSA). However it

must be noted that the discussion points and comments as highlighted below do not reflect the view of the IoDSA or the King Committee, nor are these an indication of what will be included in King IV. They are merely intended as a reflection of the suggestions offered during the course of the working sessions which still need

to be taken under consideration by the King Committee.

An introduction to King IV

WHY HAS THE DECISION BEEN MADE TO UPDATE KING III? • There have been significant corporate governance and regulatory developments, locally and internationally, since King III was issued in 2009

which need to be taken into account. • The other consideration is that whilst listed companies are generally applying King III, non-profit organisations, private companies and entities in

the public sector have experienced challenges in interpreting and adapting King III to their particular circumstances. The enhancement will aim to make King IV more accessible to all types of entities across sectors.

HOW WILL KING IV BE DIFFERENT FROM KING III? • The fundamental philosophy and concepts as currently espoused by King III will not change and companies should therefore continue following

King III as it stands. • Simplification and ease of interpretation and access will be a key tenet of King IV. One of the ways that this will be achieved is by clearly

differentiating principles from practice recommendations. Principles will be stated as higher order. This is a recommended practice for listed companies currently included in King III but due to the associated cost it may be prohibitive for smaller entities and therefore different practices will be appropriate. This approach puts the emphasis on the outcome envisaged by the principle and allows for flexibility of application.

An introduction to King IVIN WHICH GOVERNANCE AREAS ARE CHANGES ENVISAGED? • King IV will be building on the content of King III. As such, the same subject matter will be covered but consideration will be given to

developments that include but are not limited to the following areas: executive and directors’ remuneration, integrated reporting, responsible investing and linkage with the Code for Responsible Investing in South Africa (CRISA), the evolving role of social and ethics committees, mandated audit firm rotation and tendering, information security and protection, strategic risks and dependencies, group governance, board diversity and combined assurance.

• A primary aim of the King IV content development is to reinforce the code as an integrated and holistic system. • In order to maintain the integrity of the integrated approach to content development, the working sessions are planned from a broader

perspective towards more specificity as the discussions evolve.• In general it was commented by participants that King IV should attempt to shift the compliance mind-set and that organisations should still be

afforded the freedom and concomitant responsibility to “apply or explain”. The need for integrated thinking featured prominently at all of the working sessions.

The following are the highlights of what was suggested by the working groups to be incorporated as part of the principles and practices in King IV.

An introduction to King IVBoard structures • Board and board committees should be structured and composed so that there is a balance of power and the board is able to exercise effective

oversight. This includes: – continued professional development of board members; – succession planning; – support by effective and strong company secretary; – well-functioning sub-committees; and – that the size of the board is linked to efficiency.

• There should be integration of the functioning of board structures so as to achieve integrated thinking across all aspects of the organisation. • The board should provide ethical leadership and independence.

Board decision-making • The board should articulate the purpose and strategic intent of the organisation and those should be evident in outcomes of the board’s decisions. • The board should be ultimately accountable for its decisions in order for governance to be effective. To achieve this the following needs to be in place:

– transparency regarding dissenting votes on decisions; – the integrity of information on which decisions are based should be ensured; and – board collaboration should be based on applying EQ.

• The board should create a learning culture towards continued improvement of performance.

An introduction to King IVA Group governance framework was raised as a matter that needed to be addressed in more detail and specifically the following aspects: • Standard policies and practices across the group. • Clear accountability and roles reinforced through induction and letters of appointment. • The need for an understanding of the regulatory situation especially if the group operates in more than one

jurisdiction. • Code of ethics, service philosophy etc. to apply across group. • Functioning of group board committees. • Understanding and addressing conflicts within the context of a group. • Proper delegation across group and alignment of all MoIs. • The board should recognise and respect each entity within the group as separate legal persona to which legal duties

are owed by its directors. • Use of shareholder compacts and other formal arrangements to regularise relationships.

Value-creation • The board should assume responsibility for value-creation beyond financial value. This is evidenced by:

– ethical behaviour by the board as a collective board and by individual directors; – values and ethics within the organisation; – healthy stakeholder relationships; – effective and efficient allocation of 6 capitals and accounting for the enhancement, use and impact on each

capital; – striving for alignment of values of individuals with that of organisation.

An introduction to King IVIntegrated assurance The Board should ensure the integrity of information used for its own decision-making as well as the integrity of information disclosed to external stakeholders. In terms of practices this means that: - • the organisation should understand why and for whom information should be provided; • all stakeholders need information for decision-making and therefore the information needs of each key stakeholder

needs to be identified; and • there should be adherence to the attributes of integrity of information: Reliability, Accuracy, Fairness,

Representative, Timely.

Assurance The board should be responsible for ensuring that material information is defined and assured. Practicing this would involve the following: • A cost/ benefit analysis is to be performed in respect of assurance; • Each board committee should be responsible for assurance within its area of responsibility and board committees

should serve as 4th line of defence – therefore important to optimise board skills and experience and site visits; • The risk matrix (including key vulnerabilities and critical dependencies) should be mapped to board and board

committee responsibilities and to the allocation of assurance provider to assess each key risk/ area of risk; • The chief audit executive should co-ordinate combined assurance and report to the audit committee chair

supplemented by reporting to other board committees;• There should be a policy and framework in place for integrated assurance;• The standards for non-financial assurance should be agreed by the audit committee and other relevant board

committees.

An introduction to King IVRisk • The board should be accountable for risk governance that contributes to the performance of the organisation. • The board should ensure that an awareness of and an appropriate response to potential threats and opportunities are an integral part of

decision-making and endeavours at all levels within the organisation. This means that: - – Risk awareness should permeate the following aspects of organisational life:

• strategy; • reporting; • decision-making; • board composition; • capital management; • resource allocation; and • stakeholder engagement.

– Risk integration should take place on horizontal levels (e.g. decision-making, setting risk appetite) as well as vertical levels (e.g. delegation). – Risk should be part and parcel of the combined assurance framework.

• Stakeholders should be able to come to an informed view as to the ability of the organisation to create value in the short, medium and long term. Therefore, the board should ensure transparency regarding the extent to which the capitals/critical dependencies that the organisation relies on have been enhanced and/or used and impacted on.

An introduction to King IVTechnology and Information • The board should ensure that technology serves value-creation by the organisation. Therefore, the board should understand how technology fits

into the value-creation paradigm (i.e. understand the evolution of technology from support to enabler to being pervasive). • The board should ensure that return/ benefit is realised for the organisation from investments in technology.

– There should be an awareness by the board of technology risks of which include: – cyber security; – compliance; – business continuity; – lack of knowledge on technology on board; and – outsourcing.

• The board should ensure that information is recognised as corporate asset and that it is part of intellectual capital to be protected and enhanced. This can be done with regard to:

– information security; – records management: identification, classification and ownership; and – information privacy.

An introduction to King IVCompliance • The board should ensure an effective compliance function that leads to corporate performance and protects value. This aspiration is to be

supported by: – the definition of a compliance universe and the design of a compliance framework; – a board that has working knowledge of material legislation and the compliance process; – pro-activity in establishing relationship with regulators, understanding environment and trends and influencing; – responsiveness to changes in the regulatory environment; and – a compliance function that is efficiency, fit for purpose and guided by materiality.

• Compliance should be the second-line of defence within the combined/ integrated assurance framework. This means that the compliance function should:

– be independent; and – have a reporting line to board or audit committee.

An introduction to King IVRemuneration • The board should ensure that the organisation incentivises shared-value creation, including:

– remuneration policies that drive value-creation; – performance appraisals against agreed scorecard; – disclosure of remuneration processes and actual remuneration against the achievement of shared-value objectives;– Reward of ethical behaviour; – NED remuneration;– Shareholder binding vote on remuneration; and– Linkage of reward with KPIs.

An introduction to King IVStakeholders • The board should ensure that stakeholders and their legitimate expectations inform strategy. This involves:

– identification of stakeholders; – definition of “material” stakeholders; – drafting a matrix of stakeholders and expectations; – linking stakeholder interests to strategy, risk and opportunity; and – considering resources required.

• The board should ensure that the outcome of stakeholder engagement is inclusive, effective and efficient and responsive to legitimate interests of all material stakeholders. This entails the following:

– dedicated accountability for stakeholder relationships and reporting; – drafting a stakeholder map; – drafting a stakeholder management and communication plan, including platforms and mechanisms for engagement; and – measurement of the quality of relationships, including proximity, frequency, parity etc.

• The board should ensure that the organisation as a responsible corporate citizen creates value for its stakeholders in a sustainable manner. This involves the following:

– determining a shareholder value framework and monitoring and review against framework; and – disclosing stakeholder value created and destroyed.

An introduction to King IVShareholders • The board should pro-actively develop relationships with shareholders so as to strengthen the ability of shareholders to act in accordance with

relevant codes that guide shareholder responsibilities. The practices that would support this are the following: – the continual identification of shareholder groupings through shareholder registers, the classification of shareholder groupings that feed

into a shareholder engagement plan. – measuring the quality of shareholder relationships.– setting up structured engagements. – incorporate shareholders’ ability to affect value-creation in the risk register.– determining the process for identifying and addressing conflicts of interest.

Jim LaffertyService Delivery ManagerCapita Company Secretarial Services

European Corporate Governance Developments 2016

Agenda• Shareholders Rights Directive (“SRD”)

• Market Abuse Regulation (“MAR”)

• General Data Protection Regulation (“GDPR”)

• Key 2016 dates

2016

GDPR expected approval

SRD expected implementation

MAR in force from July 2016

Shareholders Rights Directive• Proposal by European Commission in 2014 with an aim to strengthen

shareholders rights and modernise corporate governance.

• Main areas addressed in the revised Directive:

• Shareholder identification

• Remuneration report voting

• Country by country reporting

• Implementation is expected in mid-2016 with member states required to adopt within 18 months from this date.

• This is a Directive rather than a Regulation.

Market Abuse Regulation• Comes into force on 1 July 2016 with the aim of enhancing market integrity while

ensuring a single rulebook and level playing field across the EU.

• Main areas addressed by MAR:

• Insider lists – enhanced requirements

• Changes to PDMR transactions

• New provisions for the disclosure of insider information

• Expect greater scrutiny by the FCA following the formal implementation.

• Provisions are known so act now to ensure a smooth transition.

General Data Protection Regulation• Formal approval expected in Q1 2016 with member states having 2 years to

implement the changes.

• Main areas addressed by the regulation:

• Explicit consent and digital age of consent• Broader right to be ‘forgotten’• ‘One-stop shop’ for data protection complaints• Increasing company liability for breaches

• This is a Regulation rather than a Directive.

• Tiered approach to penalties for breach, some infringements can be up to 4% of worldwide turnover.

Corporate Governance Trina Hill, March 2016.

Syllabus outline

Candidates are required to discuss in detail statutory rules and the principles or provisions of governance codes, and apply them to specific situations or case studies.

Strong UK emphasis (UK Corporate Governance Code 2014) - other codes can be cited in answers but must be referenced.

Syllabus outline15% weighting 10% weighting

Effectiveness of the board and committees

General governance principles

Board of directors and leadership

Risk management and internal control

Governance and accountability

Remuneration

Relations with shareholders

Corporate social responsibility

Other governance issues

Examination format

• 3 hours and 15 minutes (including reading time)

• Answer 4 questions in total (out of 6)

• Questions may ask for a particular form of answer (e.g. a report to the board)

• Scenario based questions

• Each question carries 25 marks

How to pass

50% > = Pass set out principles,

no/limited application

65% > = Merit discuss and apply

principles

75% > = Distinction “discuss in detail and

apply”

Corporate Governance November 2015 exam

• Question 1: general principles/board composition

• Question 2: financial reporting/auditors (governance and accountability)

• Question 3: shareholder relations

• Question 4: remuneration

• Question 5: risk management

• Question 6: other governance (unlisted co)

Question 1

• Prepare a report to the board

• Describe OECD principles and main principles of UK Corporate Governance Code 2014

(14 marks)

• Changes required to board and committees of Elmer plc to become a ‘smaller’ listed company

(11 marks)

Script for Question 1

Distinction level answer

• What has the candidate done well?

• What improvements could be made?

Question 2

• Explain what a ‘going concern’ statement is (5 marks)

• Describe responsibilities of directors (listed co) for financial reporting under CA 2006 and UK CG Code.

(14 marks)

• Discuss division of responsibility between directors and external auditors for prevention and detection of fraud.

(6 marks)

Question 3

• Describe the rights and powers of shareholders and proxies and explain how those relate to the situation regarding Monk nominees Ltd

(14 marks)

• What is meant by ‘shareholder activism’ ,explain how Bailey plc can improve engagement and dialogue with major shareholders, including Monk, both prior to and at the AGM

(11 marks)

Question 4

• Discuss why remuneration is recognised as an important governance issue and the role of shareholders in monitoring it.

(8 marks)

• Explain the role and composition of the remuneration committee (under UK CG Code)

(8 marks)

• Describe and explain the matters which the remuneration committee (of Took plc) should consider when preparing for the AGM. (9 marks)

Question 5

• Identify the UK CG Code principles in respect of risk management (8 marks)

• Discuss the differences between strategic and operational risk; describe the general risk areas, with examples as relevant to Loran plc

(9 marks)

• Define the key elements of a disaster recovery plan (8 marks)

Question 6

• Contrast the approach to corporate governance in listed and unlisted companies and outline general principles applicable to all unlisted companies (12 marks)

• Prepare a schedule of matters reserved for the board; explain why this would be useful to Morton Ltd.

(13 marks)

Script for Question 6

Fail B level answer

• Less than 3 marks away from a pass

• What did the candidate do well?

• What improvements could be made?

• 7 more marks needed for a merit or 9 more marks needed for a Distinction

Are there any questions?

Thank you

www.chiron-risk.com

Risk Literacy

What is it & why is it important?

Prof Garry Honey 8 March 2016

www.chiron-risk.com

Agenda

1. Literacy – definition & context

2. Boards & Risk – conduct & culture

3. Company Secretary – role & responsibility

4. Future challenges – forecasting & facilitation

www.chiron-risk.com

1. Risk Literacy

www.chiron-risk.com

Language of Risk

Approach – Do we seek or avoid, Is it a threat or an opportunity?

Appetite – How much should we take, what reward and controls?

Tolerance – What penalties will we bear, what is Acceptable risk?

Literacy – Maturity and experience in coping with uncertainty

www.chiron-risk.com

Wet floorInvitation or warning?

Approach: opportunity or threat?

www.chiron-risk.com

Invitation or warning?

perception is everything……

www.chiron-risk.com

Perception of risk

As a Threat - not everyone agrees on what risk actually means:

• Business interruption threats – inconvenience

• Potential accidents & personal hazards – liabilities

• Incidents where non-compliance occurs – censure

• Events which could lead to a financial impact – cost

Lawyers, Accountants & Insurers each see risk differently

Significantly Regulators and Investors do also!

www.chiron-risk.com

Attitude to Risk

Perception of Risk

Individuallevel

Teamlevel

Departmentlevel

DivisionalLevel

CountryLevel

RegionalLevel

GlobalCorporate

Chief Risk Officer / Director of Risk

Chief Financial Officer /Finance Director

Chief Legal Officer / General Counsel

Non-Exec Directors - NEDs

Compliance Director / Head of Internal Audit

Company Secretary

Chief Executive Officer / Managing Director

Chief Operating Officer / Operations Director

Chairman

Attitude + Perception = Approach

www.chiron-risk.com

External environment• Marketplace• Moment - circumstance

Internal culture• Attitude to risk• Nature of business

Past experience• Probability & severity• Future forecast

Business priority• Growth or consolidation• sales or safety

APPETITEWhat risks are we prepared to take?

Hunger : risk seeking to aversion

TOLERANCEWhat level of loss is acceptable?

Pain: quantification of loss

Appetite + Tolerance

www.chiron-risk.com

risk literacy is not maturity

Conscious Unconscious

Competent 3. MaturingWe know about risk

We also know how to manage ite.g most FTSE 100 companies

4. Very matureRisk is culturally integralWe know how to handle it

e.g Investment banks, gamblers

Incompetent 2. AdolescentWe know about risk, but still

We aren’t capable of managing ite.g Hospitals & schools

1. ImmatureWe don’t know much about risk

We aren’t capable of managing ite.g Church & Third sector

www.chiron-risk.com

Risk Literacy

‘Information (environment) fosters understanding (cognition).Non-transparent forms create confusion. Our brain is better at dealing with risks when they are represented as natural frequencies rather than conditional probabilities, better when they are represented as absolute rather than relative risks…….

……people strive towards certainty - which does not exist. We need people who can cope with risk and deal with it in an informed way’

Center for Risk Literacy, Max Plank Institute, Berlin

www.chiron-risk.com

Risk as Future Uncertainty

‘Risk is a word that engenders a sense of urgency because it alludes to the

probability of adverse, sometimes catastrophic, outcomes. Much of the urgent acrimony stems from a lack of agreement about the meaning of the word. People are using the same word to refer to different things…

…risk is a word that refers to the future. It has no objective existence. The future exists only in the imagination’

Prof John Adams, UCL - Risk

www.chiron-risk.com

Risk Literacy - summary

Literacy is important because the future is uncertain, it is unrealistic and imprudent to offer certainties or reassurance about the unknown or unknowable:

Risk is about future uncertainty…and the probability of events occurring which impact business continuity

Strategy is about future direction…. and the route chosen to achieve pre-determined goals or business objectives

www.chiron-risk.com

2. Boards & Risk

www.chiron-risk.com

Risk Culture

Risk has become a field of expertise since 2008

Most firms have a CRO or Risk Committee

Risk reporting is a statutory requirement

Risk often sits within:

– Finance - Assurance, Audit– Compliance - Governance & Regulation– Operations - Liquidity, Safety etc.

www.chiron-risk.com

Risk specialism is a myth

Risk has become a control function

Continuity

Contingency

Control Risk management

Conduct Regulator compliance

www.chiron-risk.com

Risk Management

Future uncertainty – • not just danger or disruption • can also represent opportunity

Our response is to – • reduce damaging uncertainty • control our destiny & remove surprise

Risk management has become –• a framework of control systems (ERM)• that deliver the illusion of control

www.chiron-risk.com

HighSeverity

Medium Severity

Low Severity

Low probability

Medium probability

High probability

Heat map – visualised control

www.chiron-risk.com

Risk Registers

Lists of possible interruptions (known unknowns)

Ranked by probability and impact/cost (based on estimates)

Responsible individuals named (potential blame-owners)

Contingency actions identified (based on estimated impact)

Provided for external auditors (who don’t scrutinize content)

Reviewed at board meeting annually (so risks don’t change much)

www.chiron-risk.com

Management & Control

How are we going to control risk? – wrong question

How are we going to reduce uncertainty? – right question

www.chiron-risk.com

Risk Type ReportingFrequency

Control & Predict

Strategy Examples

Market Risk Occasional Hardest Mitigate marketplace - exchange or interest rates, taxation, government policy, competitor activity, pricing, product demand etc.

Operational Risk Regularly Easiest Retain & manage

business - financial, insurance, liquidity, credit, capital, project, ERM, corporate responsibility, brand activity etc.

Strategic Risk Rarely Difficult Avoid or mitigate

direction - impact on chosen strategy, sustainability, reputation, culture & corporate behaviour, value alignments.

Principal RiskSignificant Risk

Statutory requirement

Difficult Manage realisable value - ROI, significant to investors - share price, reputation etc.

Risk Reporting

www.chiron-risk.com

Risk accountability & reporting

Reporting to external audiences –

– Demonstrate compliance to regulator - governance

– Provide confidence to investors - control

Reporting to internal audiences –

– Specify controls for risk management - systems

– Manage potential business interruption - impacts

www.chiron-risk.com

Why we report risk

Compliance – disclosure for regulators & auditors

Confidence – inspiration for investors and key influencers

Confirmation – vindication of strategy & management

Communication – with all key stakeholder audiences

www.chiron-risk.com

Boards & Risk - summary

It only works if we are honest and open about risk as uncertainty. Many of our audiences naturally seek certainty. In giving them this based on control systems are we setting ourselves up a for a fall?

Could the Company Secretary play a positive role in risk literacy?

www.chiron-risk.com

3. Company Secretary role

www.chiron-risk.com

Henley report 2014

Pivotal figure in boardroom

Facilitator of key decisions & board effectiveness

Vital link between Exec & Non-Exec members

Increasingly an outward facing role, not just internal admin.

Regulators want to see greater risk literacy

www.chiron-risk.com

FRC on risk 2011

Why is corporate risk reporting inadequate?

1. Board responsibility and ownership – approach to risk

2. Nature of risk needs more explanation – interpretation of risk

3. Reporting is not just about compliance – information about risk

www.chiron-risk.com

Risk Literacy & Risk Governance

1. Approach to riskThe Board is responsible for determining the approach to risk, setting its culture, risk identification, oversight of risk management, and crisis management. It is a shared responsibility.

2. Interpretation of riskThe Board needs to agree its appetite or tolerance for key individual risks; to understand the company’s exposure to risk and how this might change….. companies should indicate to shareholders when and to what extent they believed their exposure to risk was changing.

3. Information about riskQualify why the reported risk is significant, why it represents a threat and what the organisation is doing to control this. Explain how readers will know when a risk ceases to exist and explain contingent factors that increase or decrease this risk.

www.chiron-risk.com

Some recent guidelines -

LSE - Risk Culture in Financial Organisations (Jul 2013) BS 13500 - Effective Governance Standard (Oct 2013)FSB - Risk Culture Guidance (Apr 2014)IBE - Business Ethics in Corporate Reporting (May 2014)FRC - Guidance on the Strategic Report (June 2014)IIA - Culture and Internal Audit (July 2014)FRC - Corporate Code update (Sept 2014)OECD - Principles of Corporate Governance (Nov 2014)ACCA - Channelling Corporate Behaviour (Dec 2014)FRC - Report on Corporate Governance & Stewardship (Jan 2015)Deloitte - The Changing Role of Compliance (Apr 2015)ICSA – The Company Secretary – Building Trust through Governance PRA – Corporate Governance – Board Responsibilities (May 2015)

74

www.chiron-risk.com

4. Future challenges

www.chiron-risk.com

Guard against cognitive bias in boardroom

1. Representation bias- tendency to categorise new risks according to how much they resemble familiar risks

2. Availability bias- tendency to judge risks if they can think of examples, hence depends on their exposure & experience

3. Anchoring bias- tendency to view risk depending on the starting point or frame of reference

4. Hindsight bias - tendency to rely on perceived competence in previous risk handling; failing to learn from experience

5. Cognitive dissonance- tendency to close distance between two positions & reduce tension; tend to justify after the fact

6. Confirmation bias- tendency to seek evidence to confirm a viewpoint, tendency to ignore conflicting evidence

Source – Lloyds Emerging Risks – Bear, Bull & Lemming 2010

www.chiron-risk.com

Guard against ‘Groupthink’

‘An excessive form of concurrence seeking among members of high prestige, tightly knit policy-making groups in which group members come to value the group and being part of it more highly than anything else…….

…this causes them to strive for a quick and painless unanimity on the issues that the group has to confront……group members suppress personal doubts, silence dissenters and follow the group leader’s suggestions…..

…the results are a distorted view of reality, excessive optimism producing hasty and reckless policies, and a neglect of ethical issues.’

Source: P.Hart ‘Victims of Groupthink’ – Political Psychology 1991 Based on I.Janis ‘Psychological study of foreign policy decisions’ 1972

www.chiron-risk.com

Promote risk as Philosophy not Function

Risk as FUNCTION

• Damage limitation• Business continuity• Controls & systems• Threat mitigation

Risk as PHILOSOPHY

• Reducing uncertainty• Growth opportunity• Understanding bias• Commercial advantage

Strategic riskOperational risk

Good Governance…….including risk governance

www.chiron-risk.com

Ensure compliance with SMR

FCA Senior Managers Regime (SMR) :Consultancy paper: Strengthening accountability in banking: a new regulatory framework for individuals Feedback March 2015 ref CP 15/9

Proposals put out in consultation paper for industry feedback based on Parliamentary Commission on Banking Standards (PCBS) and powers granted by the Financial Services (Banking reform) Act 2013.

HM Treasury wants implementation by 7 March 2016, so companies have a year in which to secure compliance with the regime – which replaces the Approved Persons Regime (APER).

The SMR is ‘the new regime for individuals who are subject to regulatory approval, which focuses on senior individuals who hold key roles or have overall responsibility for key areas’ (1.11).

www.chiron-risk.com

Ensure compliance with EU Directives

• Directive 2014/95/EU - Non-financial reporting

• European Parliament adopted on 15 April 2014 • Council of the European Commission adopted on 29 September 2014

• Companies (with 500+ employees) will need to disclose information on policies, risks and

outcomes as regards environmental matters, social and employee-related aspects, respect for human rights, anti-corruption and bribery issues, and diversity in their board of directors…. Companies will be required to disclose concise, useful information necessary for an understanding of their development, performance, position and impact of their activity,

80

www.chiron-risk.com

Explore causes of uncertainty

Uncertainty as variability (aleatoric)A range of outcomes possible - you can’t be sure which one might actually happen.

Uncertainty as ambiguity (epistemic)A number of outcomes possible – you don’t have enough information.

Uncertainty as unknown (ontological) The Donald Rumsfeld unknown-unknowns which are really unknowable-unknowns. Risks we do not see because we don't know that we should be looking for them.

www.chiron-risk.com

Control what you can

The essence of risk management lies in maximising the areas where we have some control over the outcome, while minimising the areas where we have absolutely no control over the outcome’

‘Against the Gods, the remarkable story of risk’ Peter Bernstein

www.chiron-risk.com

Summary

Use your unique position to challenge risk as a specialism

Use diplomacy to help the board engage with uncertainty

Promote improved risk literacy Know when to call for reinforcements

www.chiron-risk.com

Audit Related Matters Perspectives from an Audit Chairman, an Auditor and a Company Secretary

ICSA Annual Conference

Introduction to the Panel

Ian Barlow, Chairman Audit Committee, Smith & Nephew plc

Stephen Oxley, KPMG, Audit Partner, Smith & Nephew plc

Susan Swabey, Company Secretary, Smith & Nephew plc

KPMG have just completed their first audit for Smith & Nephew having been appointed to replace auditors who had been in place since 1937.

Topics for Discussion• Changing Dynamics

• between the Non-Executives and the Executive team • between the Board and the Audit Committee

• Conducting an audit tender• Enhanced reporting on Activities of the Audit Committee• Changes to the UK Corporate Governance Code

• Risk management & risk and controls monitoring• Viability statement

• Tax transparency – looking ahead to country by country reporting• What does the Audit Committee Chairman expect from the Company

Secretary or Secretary to the Audit Committee?

Changing Dynamics – View of the Audit Committee Chairman

• The UK has a unitary Board system and directors share joint and several liability

• Audit Committees have increasing responsibilities, many quasi-executive in nature – eg managing the internal audit function, agreeing audit fees, audit tenders.

• Audit Committees are also responsible for independent oversight of the financial statements and key judgements – the FRC is now emphasising the Audit Committee makes its own independent enquiry, rather than relying on management or the auditors

• Relationship with the Board has changed, with Audit Committee doing heavy lifting on matters such as risk management processes, fair, balanced and understandable.

• Fine balance between exercising oversight and becoming too involved. Need to take care that the role of an Audit Committee member does not become too “executive”.

 

Changing Dynamics – View of the AuditorThe recent CMA Order requires FTSE350 companies to tender their audit every 10 years and, through disclosure, encourages 5 year tenderingEU reforms set to• introduce MFR and a ‘blacklist’ of prohibited non-audit

services• Create specific legislative requirements around audit tendersThe Code (and FRC Guidance on Audit Committees) set to ‘require’:• Sectorial competence on the AC and at least one member

with competence in accounting and/or audit• New disclosures focussed on audit committee effectiveness

and the impact of both FRC audit inspections and corporate reporting reviews

The new environment is indirectly driving innovation in areas like auditor reporting and data & analytics

Conducting an Audit Tender (1)Only the audit committee is permitted to initiate / supervise the tender process, and make the recommendation(s) to the board The audit committee must ensure that:• the tender process does not

preclude the participation of non-Big 4 firms

• tender documents allow invited auditors to understand the business

• the proposals are evaluated in accordance with predefined transparent selection criteria

• consideration is given to any inspection report findings

• the company can demonstrate that the selection procedure was fair

The committee must identify its first and second choices for appointment and give reasons for its choices.

• Audit tenders at least every 10 years

• Mandatory auditor rotation at 20 years

• Transitional rules based on the length of audit tenure

Conducting an Audit Tender (2)Date ActionApril 2014 (pre tender process)

Each firm presents to Audit Committee

Late May 2014 2 days of presentations and workshops, access to senior management

End June 2014 Submission of written tenders Early July 2014 Presentation to Steering Committee

(audit question added in to process in last 48 hours)Meeting of Steering Committee , then announcement

Autumn 2014 Commence shadowing processJanuary 2015 Shadow audit process of retiring auditorsApril 2015 Formal appointment by shareholders at AGMJuly 2015 Audit of first half yearFebruary 2016 First full year audit completed

Conducting and Audit Tender (3)

• Ensuring independence and avoiding conflicts

• Getting to know a new auditor ……and a new client

• Lessons learned

Enhanced Reporting Requirements (1)Audit Committee Reports

The ‘Code’ now requires disclosure of:

• the significant issues considered in relation to the financial statements, and how addressed

• an explanation of how the effectiveness of the external audit process was assessed

• the approach taken to the appointment or reappointment of the external auditor, the length of tenure of the current audit firm and when a tender was last conducted

• an explanation of how auditor objectivity and independence are safeguarded

FRC Financial Reporting Lab pushing for more granularity

Audit Reports

Changes to Auditing Standards now require that audit reports include:

• Audit risk• Audit materiality• Audit scope

Innovation has resulted in

• Company specific reporting• Graphics• Disclosure of ‘findings’ (eg, Rolls-

Royce)

Enhanced Reporting Requirements (2)

• Introductory letter from Audit Committee Chairman

• Discussion on areas of judgment and how they were resolved

• Ensuring alignment with the Auditors’ Report

• Enhanced disclosures on audit supervision – independence, non-audit fees, tenure, tendering, quality – and scope and materiality

• Audit Committee effectiveness

Risk Management and the Viability Statement (1)• Disclose the principal risks and how mitigated• Confirm that the directors’ have performed a robust

assessment of the principal risks• Clarification that the board’s should review the effectiveness of

internal control and risk management systems on an ongoing basis – not a year-end exercise

• Disclose the actions taken to remedy significant failings or weaknesses

• Disclose how the prospects of the company have been assessed, over what period and why that period is appropriate

• Confirm that the directors have a reasonable expectation that the company will continue in operation and meet its liabilities as they fall due over the period of the assessment

Risk Management and the Viability Statement (2)Risk management: 5 things we have learned• Increased focus on risk

management disclosures – more disclosure around the process

• Graphics are much more prevalent

• Principal risk disclosures are dynamic – new risks have been added (or taken out)

• Companies are starting to talk about risk culture

• Companies are stating to talk about risk appetite

Viability statements: 5 things we have learned• The majority of statements are

in the Strategic Report• Most are with, or adjacent to,

the principal risk disclosures• Assessment periods are usually

based on the existing mid-term planning cycle

• Around 2/3 have chosen three years and around 1/3 five years

• So far, very few go beyond generic statements around the assumptions and qualifications

Risk Management and the Viability Statement (3)• Audit Committee reviewed risk management process in

February and July and considered the reporting requirements in October and again in February 2016

• During the year, the Board re-appraised our tolerance to our principal risks, conducted a “black swan” exercise, held Board Development Session focused on risk management and risk appetite and carried out at “risk Deep Dives” into Cyber Security and single site dependency.

• Asked Internal Audit to evaluate the effectiveness of our risk management programme

• Group Finance modelled worst case scenarios focusing on our principal risks and then assessed impact of aggregating some of the risk and then comparing with our funding facilities

• Updated the risk disclosures in our Annual Report. Viability Statement sits in the Annual Report at the end of our discussion on risk and covers a period of three years

Tax Transparency Agenda• OECD issued final BEPS reports on 5 Oct, 15 Actions identified. Individual countries

deciding how to implement• Country by Country Reporting (CBCR) accepted by OECD and G20 countries as

minimum standard. Effective for years beginning on or after I Jan 2016 and will require sharing of information including revenue, profit, tax paid and employee numbers on a country by country basis with other tax authorities adopting the guidelines

• Other proposals affecting multinationals include rewritten transfer pricing guidelines to align returns with value creation and proposed restrictions on the deductibility of finance costs, including external interest

• Separately HMRC have launched a consultation on the publication of tax strategy and a voluntary code of practice incorporating a common set of principles that multinationals will be encouraged to sign up to

What does the Audit Committee Chairman Expect from the Company Secretary or Secretary to the Audit Committee• Getting the basics right – efficient marshalling and distribution of papers,

organising and timing of meetings and production of minutes/follow up actions• Independent support – on fulfilling statutory Audit Committee requirements e.g.

‘fair, balanced and understandable’, internal reporting to Audit Committee e.g. by Internal Audit

• Liaison between Audit Committee and executive – where needed e.g. in preparation of papers particularly in emerging areas like Risk.

• Ownership of Annual Report & Accounts – to ensure coherent, comprehensive and compliant content

• Company Secretary is key governance contact links to Internal Audit, Risk function, General Counsel, Finance team