Developing a Corporate Governance
Framework
About ERM
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
About The Speaker
Karen Livingstone
Practice Director at ERM
Risk Management, Governance, Regulatory Compliance
CPA, CISA, CIA, CRMA designations
20+ years experience global experience
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Agenda
Top Ten Boardroom Topics
Corporate Governance Definitions and Guidelines Framework Components and Characteristics
Board versus Management Responsibilities Cybersecurity Risk Update
Q&A
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Top Ten
Fiscal and economic uncertainty Mobile and social media
Cybersecurity Reputation risk
Executive compensation Health care reform
Board composition
Need and ability to retain key talent Increasing regulation
Information overload
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
(Atkin Gump Strauss Hauer and Feld LLP 12/2/12)
Definitions and Guidelines
“Corporate governance refers to that blend of law, regulation, and appropriate voluntary private-sector practices which enables the
corporation to attract financial and human capital, perform efficiently, and thereby perpetuate itself by generating long-term economic value for its shareholders, while respecting the interests of stakeholders and society as a whole.”
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
What is Corporate Governance?
Ira M. Millstein . Senior Partner, Weil, Gotshal & Manges LLP and noted authority on corporate governance
Definitions and Guidelines
“The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of objectives” (The IIA)
A framework of rules and procedures by which decisions are made and how accountability is enforced
Working collaboratively to review and advise management on strategies, plans, decisions, and activities
Accountability avoidance mitigation
Questioning and challenging management decisions and actions from a more objective viewpoint than management’s – one informed more by both shareholder and public interests
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
What is Corporate Governance?
Definitions and Guidelines
The American Law Institute (“ALI”), Principles of Corporate Governance:
Analysis and Recommendations, Vol. 1 (1994, with supplements).
Business Roundtable, Principles of Corporate Governance (May 2002, most recently revised June 2012).
National Association of Corporate Directors (“NACD”), Report of the NACD Blue Ribbon Commission on Director Professionalism (November 1996, reissued 2001, 2005, and 2011).
The Conference Board Commission on Public Trust and Private Enterprise, Findings and Recommendations, Part 1: Executive Compensation
(September 17, 2002); Findings and Recommendations, Part 2: Corporate Governance and Part 3: Audit and Accounting (January 9, 2003). See also The Conference Board, Corporate Governance Handbook: Legal Standards and Board Practices (2009).
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Definitions and Guidelines
National Association of Corporate Directors (“NACD”), Report of the NACD Blue Ribbon Commission on Director Professionalism (November 1996, reissued 2001, 2005, and 2011).
Business Sector Advisory Group on Corporate Governance, chaired by Ira M. Millstein, Corporate Governance: Improving Competitiveness and Access to Capital in Global Markets: A Report to the OECD (the “Millstein Report”) (April 1998).
California Public Employees’ Retirement System (“CalPERS”), Corporate Governance Principles and Guidelines – United States (April 1998), most recently revised and renamed, Global Principles of Accountable Corporate Governance (November 2011).
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Definitions and Guidelines
Council of Institutional Investors (“CII”), Corporate Governance Policies (March 1998, most recently revised October 2012).
Teachers Insurance and Annuity Association–College Retirement Equities Fund (“TIAA-CREF”), TIAA-CREF Policy Statement on Corporate
Governance (October 1997, most recently revised January 2012).
American Federation of Labor and Congress of Industrial Organizations (“AFL-CIO”), AFL-CIO Proxy Voting Guidelines – Exercising Authority,
Restoring Accountability (1997, most recently r ISS, 2013 U.S. Proxy Voting Guidelines Summary (2012); ISS, Governance Risk Indicators 2.0 Technical Document (most recently revised March 2012). (Revised 2012).
Key Agreed Principles to Strengthen Corporate Governance for U.S.
Publicly Traded Companies (National Association of Corporate Directors, 2008) (hereinafter “Key Agreed Principles”),
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Framework Components and Characteristics
A systematic approach to identify and manage increased oversight responsibilities, regulations, risks, and stakeholder expectations . A Corporate Governance framework is a:
Guide for a board to use in defining, developing, and deploying the elements of its corporate governance infrastructure
Mechanism for the definition and organization of governance responsibilities between the board and management
Key to sustaining resilience (adaptive capacity of an organization in a complex and changing environment) ISO 31000
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Framework Components and Characteristics
Board responsibility for governance Corporate governance transparency Director competency and commitment Board accountability and objectivity Independent board leadership
Integrity, ethics, and responsibility
Attention to information, agenda, and strategy Protection against board entrenchment
Shareholder input in director selection Shareholder communications
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Framework Components and
Characteristics
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICSComponents:
• Ethics and Integrity
• Mission, Vision and Strategy
• Governance structures and Processes
• Operational, Financial, Risk Management Performance
• Executive Leadership
• Stakeholder Expectations
• Self Assessment
Characteristics:
• Ownership
• Coordination
• Relevant
• Clear and understandable
• Concise
• Easily accessible
• Laws and regulations
• Current
Framework Components and Characteristics
Primary driver is the perception of risk and its impact on culture Risk profile – comprised of risk attitude, appetite, and tolerance levels
Risk attitude – organization’s approach to assess and eventually pursue, retain, take or turn away from risk
Risk appetite – amount and type of risk that an organization is willing to pursue or retain
Risk tolerance – organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.
Influenced by legal and regulatory requirements
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Framework Components and Characteristics
Culture is defined and influenced by an organization’s risk profile.
Culture represents the intersection of risk and board and management activities
Tone at the top for risk taking is fulfilled through board and management responsibilities
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Key Agreed Principles as presented by the NACD for US Traded Public Companies
Management Responsibilities
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
• Planning: Management develops strategic, financial, operational, and other plans to meet goals and objectives defined in the strategy
• Operations: Management executes plans through operations related to production, sales, marketing, distribution, risk management, human resources, finance, and other functions across the organization
• Reporting: Management reports operating results through financial reporting and other reports specified by regulatory authorities and securities exchange listing requirements
• Compliance: Management designs and operates internal controls including methods and tools for conducting operations in compliance with legal and regulatory requirements
Framework Components and Characteristics
Establish/adopt a corporate philosophy or mission
Identify risk profile (risk attitude, appetite, and tolerance levels) Define the ethical climate
Design an assurance methodology for ethical behavior and compliance with laws and regulations
Design corporate governance structures, policies, and processes Design monitoring processes (Board and committee composition, allocation of accountability and responsibilities)
Identify and assign stakeholder management and communication activities
Implement a board self assessment process
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Cybersecurity Risk Update
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Cybersecurity was noted as one of the top ten risk for Boards in 2013 and is emphasized again in 2014. A recent study by the Ponemon Institute found that the number of successful cyber-attacks on companies jumped 42 % the past year and according to the Department of Homeland Security, the
number of cyber threats by mid-2013 had already exceeded the total number of incidents in 2012.
Regulations related to the security, confidentiality and privacy of information continue to evolve. Public companies are now subject to new SEC
disclosure requirements regarding cybersecurity and in 2013 President Obama signed an executive order directing the National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework that was release earlier this year.
http://blogs.law.harvard.edu/corpgov/2013/12/31/top-10-topics-for-directors-in-2014/
Q & A
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Your go to advisors for all matters in
risk management and corporate governance
800 S Douglas Road #940 Coral Gables, FL 33134 Phone: 305-447-6750 Email: [email protected]