Presentation is loading. Please wait.

Presentation is loading. Please wait.

Governance Model for Trusted Businesses Linking Governance to Sustainable Value Creation 1 BPM GOSPEL (LLP-LDV-TOI-2010-HU-001) This project has been funded.

Similar presentations


Presentation on theme: "Governance Model for Trusted Businesses Linking Governance to Sustainable Value Creation 1 BPM GOSPEL (LLP-LDV-TOI-2010-HU-001) This project has been funded."— Presentation transcript:

1 Governance Model for Trusted Businesses Linking Governance to Sustainable Value Creation 1 BPM GOSPEL (LLP-LDV-TOI-2010-HU-001) This project has been funded with support from the European Commission. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.

2 Agenda 1.What‘s the bisuness world coming to? 2.Do we need to change to the better? 3.What do we have so far? 4.We have already realized that we need more 5.That‘s where we come in 6.General information on Process Assessment 7.Governance Model for Trusted Businesses 8.Our vision on tomorrow‘s business world 2

3 1. What‘s the business world coming to? …… Fraudulent Representation Not limited to financial reporting Bad Bank Country bankruptcy I have lost my house and savings and have debt difficult to repay during the rest of my life I am 35 years old 3

4 2. Do we need to change to the better? Yes we need! 4

5 3. What do we already have so far? Sarbanes-Oxley Act for US-SEC registrants and their affiliates globally Basel Framework Company Law in the EU European and national directives for governmental and public sector organizations etc. 1/2 5

6 3. What do we already have so far? Existing laws and regulations already require the implementation of internationally accepted, sophisticated risk management and internal control systems which are periodically assesed in terms of effectiveness and the results of the assesments disclosed to the stakeholders and … to be continued on the next page 2/2 6

7 4. We have already realized that we need more....financial and governmental sectors and the regulators are keen to extend and further develop the already exisiting mandatory rules and guidelines to all governance related processes which are not yet addressed in the existing set of regulations and thus regain the trust from the stakeholders with trusted businesses 7

8 5. That‘s where we come in Governance Model for Trusted Businesses Linking Governance to sustainable value creation We want to introduce a new methodolology which puts our need to change into action 8

9 6. General information on Process Assessment using the most acknoledged control frameworks An integral part of conducting a process assessment is to use a Process Assessment Model (PAM), related to Process Reference Model(s) (PRM) and conformant with the requirements defined in ISO/IEC ISO/IEC provides a framework for process assessment and sets out the minimum requirements for performing an assessment in order to ensure consistency and repeatability (objectivity) of the ratings. The COSO and COBIT based Process Reference Models associated with the process attributes defined in ISO/IEC provide a common basis for performing assessments of governance capability regarding internal controls and reporting of results by using a common rating scale. ISO/IEC offers not only a transparent method for assessing performance of relevant governance processes, but also tools for assessing control risk areas based on the gaps between target and assessed capability profiles. 1/4 9

10 6. General information on Process Assessment using the most acknoledged control frameworks The Process Assessment Model according to ISO/IEC Process Assesment (SPICE) defines a two-dimensional model of process capability. In one dimension, the process dimension, the processes are defined and classified into process categories. In the other dimension, the capability dimension, a set of process attributes grouped into capability levels is defined. The process attributes provide the measurable characteristics of process capability. Figure 1: Components of ISO/IEC Process Assessment 2/4 10

11 Figure 1: Measurement Framework of ISO/IEC Process Assessment Within a Process Assessment Model, the measure of capability is based upon the nine process attributes (PA) defined in ISO/IEC which are grouped in six capability levels. Process attributes are used to determine whether a process has reached a given capability. Each attribute measures a particular aspect of the process capability. At each level there is no ordering between the process attributes; each attribute addresses a specific aspect of the capability level. 3/4 6. General information on Process Assessment using the most acknoledged control frameworks 11

12 The nine process attributes are evaluated on a four point ordinal scale of achievement, as defined in ISO/IEC They provide insight into the specific aspects of process capability required to support process improvement and capability determination. The process capability assesment is based on assesment indicators. Process Attribute Indicators (PAI) apply for level 1-5, Base Practices and Work Products apply (on top) exclusively for level 1. Figure 3: Four point ordinal scale for evaluating the achievement of process attribute 4/4 6. General information on Process Assessment using the most acknoledged control frameworks 12

13 7. Governance Model for Trusted Businesses What is it? The Governance Model for Trusted Businesses (Governance SPICE) relates to the capability assessment of processes in the areas of Governance, Risk Management and Internal Control and is based on the following concepts: · Corporate Governance Principles (OECD) · Recognized Control Frameworks (COSO & COBIT) · Risk Tolerance and Risk Appetite (as of COSO ERM) · Performance Measurement (as of COBIT) · Process Capability Assessment (ISO/IEC :2003) · Evaluating Process-related Risk (ISO/IEC :2004) · Organizational Maturity (ISO/IEC TR :2008) 1/8 13

14 7. Governance Model for Trusted Businesses Eleven Governance Objectives as a basis for determining governance processes The Governance Model interprets the following eleven governance objectives for determining governance processes as special applications of the recognized reference models (COSO, COBIT and Enterprise SPICE) and trusted business principles : Supporting Organization’s Internal Control System – Risk Awareness – Accountability – Competency – Accuracy – Process Integrity – Data Protection – Commitment – Control Efficiency Supporting Business Sustainability – Competitiveness – Exploitability – Satisfaction 2/8 14

15 7. Governance Model for Trusted Businesses Eleven governance processes classified into two application categories Based on the eleven relevant governance objectives the governance model determines eleven governance processes as special applications of the recognized reference models (COSO, COBIT and Enterprise SPICE) and trusted business principles. The eleven governance processes are classified into the following two Application Categories: Governance of Controlled Business Operation Application Category Control Risks – The organization and its staff adequately address risks to the governance objectives relevant for financial reporting and trusted business operation and consider those risks in management of business operation. Control Management – The management of the organization is able to control business processes in a way which is adequate to the objectives of internal control over financial reporting and trusted business operation. Control Competence – Sufficient skills and knowledge relevant for the objectives of internal control over financial reporting and trusted business operation are available and used. Information Reliability – Data architecture and disclosure elements relevant for financial reporting objectives and trusted business operation, and for supporting data processing integrity are accurate and consistent. 3/8 15

16 7. Governance Model for Trusted Businesses Eleven governance processes clasified into two application categories Process Control – Design and operation of process-level controls relevant to the objectives of financial reporting and trusted business operation, and processing integrity principle are effective. Data Protection – The organization and its staff are committed to security, confidentiality and privacy principles to avoid unauthorized access to and misuse of confidential data effected by business operation. Integrity Assurance – The organization and its staff are committed to comply with ethical and business integrity requirements relevant to the objectives of financial reporting and trusted business operation, and availability principle. Control Efficiency – Efficient usage of control resources relevant to the objectives of financial reporting and trusted business operation. – – Ensuring user/customer satisfaction based on agreed levels of business operation. Governance of Controlled Business Operation Application Category Competitive Operation – Ensuring market recognition of the business operation. Exploitable Operation – Organization realizes optimal value from business operation. Satisfactory Operation – Ensuring user/customer satisfaction based on agreed levels of business operation. 4/8 16

17 7. Governance Model for Trusted Businesses Four main objective categories mapped to capability levels In the measurement framework of the Governance SPICE model the main objective categories of the COSO model are maped to the capability levels of ISO/IEC Figure 13: Mapping ISO/IEC capability levels to COSO objective categories 5/8 17

18 7. Governance Model for Trusted Businesses Assessing Control Risk Areas Risk appetite and Risk Tollerance according to the Enterprise Risk Management concept (ERM) are decisive criteria for setting of target process capability profiles which are measured via the ratings of the process attributes. The risk appetite of an entity is a high level view of the decision making body of a company on how much risk they are willing to take. Risk Tolerance is the acceptable level of variation arround objectives and is alligned with the risk appetite. Only ratings of Fully achieved or Largely achieved should be set. Process related risk results from the existence of gaps between the target and the assesed process profiles 6/8 18

19 7. Governance Model for Trusted Businesses Assessing Control Risk Areas The process attribute gap can be categorized into “None”, “Minor” and “Major” categories based on the distance of target and assessed ratings. The probability of problem occurrence is derived from the extent of process attribute gaps and from the capability level where they occur. Capability level gaps are categorized as follows: – None - No major or minor gaps – Slight - No gap at level 1, and only minor gaps at higher levels – Significant - A minor gap at level 1, or a single major gap above – Substantial - A major gap at level 1, or more than one major gap above The process related risk depends on both the probability of problem arising from the identified gap and the potential consequence. In general the consequences depend on the capability levels where the gaps occur. 7/8 19

20 7. Governance Model for Trusted Businesses The key benefits at a glance Common, integrated and most acknoledged assesment model Process capability determination applicable to all relevant processes Value adding tool for all stakeholders of a company – Desision making body of a company – Internal & External Auditors – Customers – Suppliers – Shareholders – Other stakeholders Improved Corporate Governance as USP 8/8 20

21 Our vision of tomorrow‘s business world …… Honest Representation in all relevant activity areas Good Bank Trusted Businesses I have my house some savings and will not burden the next generation with my debt I am 35 years old 21

22 Annex 1: The 20 basic COSO principles Control Environment (CE) 1. Integrity and Ethical Values (IEV). Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting. 2. Oversight Board (OB). The board of directors and/or audit committee understand and exercise oversight responsibility related to financial reporting and related internal control. 3. Management’s Philosophy and Operating Style (MPO). Management’s philosophy and operating style support achieving effective internal control over financial reporting. 4. Organizational Structure (OS). The entity’s organizational structure supports effective internal control over financial reporting. 5. Financial Reporting Competencies (FRC). The organization retains individuals competent in financial reporting and related oversight roles. 6. Authority and Responsibility (AR). Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting. 7. Human Resources (HR). Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting. 22

23 Annex 1: The 20 basic COSO principles Risk Assessment (RA) 1. Financial Reporting Objectives (FRO). Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting. 2. Financial Reporting Risks (FRR). The organization identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. 3. Fraud Risk (FR). The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives. Control Activities (CA) 1. Integration with Risk Assessment (IRA). Actions are taken to address risks to the achievement of financial reporting objectives. 2. Selection and Development of Control Activities (SD). Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives. 3. Policies and Procedures (PD). Policies related to reliable financial reporting are established and communicated throughout the organization, with corresponding procedures resulting in management directives being carried out. 4. Information Technology (IT). Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives. 23

24 Annex 1: The 20 basic COSO principles Information and Communication (IC) 1. Financial Reporting Information (FRI). Pertinent information is identified, captured, used at all levels of the organization, and distributed in a form and timeframe that supports the achievement of financial reporting objectives. 2. Internal Control Information (ICI). Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities. 3. Internal Communication (IC). Communications enable and support understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the organization. 4. External Communication (EC). Matters affecting the achievement of financial reporting objectives are communicated with outside parties. Monitoring (MO) 1. Ongoing and Separate Evaluations (OSE). Ongoing and/or separate evaluations enable management to determine whether internal control over financial reporting is present and functioning. 2. Reporting Deficiencies (RD). Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate 24


Download ppt "Governance Model for Trusted Businesses Linking Governance to Sustainable Value Creation 1 BPM GOSPEL (LLP-LDV-TOI-2010-HU-001) This project has been funded."

Similar presentations


Ads by Google