This week, I was honored to present to 220 board directors at Bursa Malaysia, the Malaysia stock exchange (an event coordinated by my friends at IIA Malaysia).

The topic was “Governance, Risk Management, Compliance: What Directors Should Know” and if you are interested you can upload a copy of my slides. I defined GRC as the capability that enables an organization to set objectives that deliver value to stakeholders, optimize performance to achieve or surpass objectives through management of risk, and act with integrity (which includes not only compliance with laws and regulations, but with the expectations of the society within which we live and operate).

During the course of the presentation, and in answer to a number of questions, I made the following observations about critical actions necessary if governance, risk management, and internal audit are to be effective in delivering performance and value to stakeholders:

1. The board should have a majority of directors who are independent of management (the exception being in a family business)
2. The audit committee and the risk committee (if there is one) must include individuals with expertise in risk management – which extends beyond financial risks to all risks of significance to the organization, including reputation risk, operational risk, etc.
3. Risk management must be recognized as being more than covering the back of the organization (i.e., a compliance activity focused on minimizing the potential impact of major disasters). Instead, it needs to be acknowledged as enhancing the ability of the organization to move forward and achieve or surpass its objectives. Risk management has to be embedded in strategy, performance management, and daily decision-making processes – enabling the organization (a) to make better decisions because it has information and is taking action in response to the uncertainty in its path, and (b) to optimize potential outcomes
4. Board members cannot be effective without reliable, timely information or confidence in management’s processes and controls (including risk management). The best source for assurance on both counts is an internal audit department that is:
   1. Independent of management, reporting directly to the board or a committee of the board
   2. Led by an experienced and competent professional (CAE) that was selected by the board and not by management. (It is not acceptable, in my opinion, for management to manage the hiring process and present its selection to the board for approval)
   3. The CAE’s performance must assessed by the board, not management, and the compensation of the CAE, including bonus, must also be set by the board
   4. The internal audit function has to be sufficiently resourced to meet its obligation to provide assurance and consulting services relative to the more significant risks to the organization
   5. Only the board can terminate or discipline the CAE, and only the CAE can terminate or discipline any of the staff of the internal audit function
   6. The CAE should report not only to the audit committee of the board, but to any committee that is responsible for oversight on areas addressed by internal audit. For example, the CAE should regularly report to a board’s risk committee, compliance committee, governance committee, etc.
5. The internal audit function must provide assurance to the board or committee of the board in the form of a formal opinion at least annually. That opinion will be based on the work performed (and the CAE should ensure that the audit plan considers all risks of significance to the organization) and include an assessment of whether the organization’s governance, risk management, and related internal control processes provide reasonable assurance that risks of significance to the organization are managed within acceptable levels/criteria
6. Individuals who possess information about potential violations of the organization’s code of conduct, including but not limited to violations of law or regulation, should be able to report their suspicions to an objective party independent of the management responsible for the area, without fear of retaliation or other harm. That may mean reporting directly and anonymously to the audit committee, but in practice the latter will delegate this important responsibility to a trusted advisor, such as the head of internal audit, who can be relied upon to keep the allegation and related information confidential

Some observations and clarifications on the above:

1. While many nation’s corporate governance codes or regulations require listed companies to have an internal audit function, there is no requirement to have an independent or competent one. That has to change. Too many organizations are complying with the letter and not the spirit of these codes by hiring an inexperienced individual who reports to lower level management and not the board
2. While far too few internal audit departments are providing the opinion I say should be mandated (and provided for 20 years as CAE), this should be the #1 priority for every CAE. It may take a couple of years to change not only the activity but the philosophy of the internal audit function, but this is critical if the board is to obtain the assurance it needs to be effective.
3. IT IS NOT ACCEPTABLE FOR MANAGEMENT AND/OR THE BOARD TO BE REQUIRED TO ASSESS RISK MANAGEMENT AND INTERNAL CONTROL AND ALLOW INTERNAL AUDIT NOT TO PROVIDE THEIR PROFESSIONAL OPINION
4. The facts that CAEs have not provided an opinion in the past and audit committees have not been asking for it do not change the fact that this is critical. AUDIT COMMITTEES SHOULD DEMAND AN OPINION
5. Far too many risk professionals and their management have limited the formal risk management program to a few (10-20) so-called ‘high’ risks that deal only with potential adverse events. For risk management to deliver on its potential, it has to enable management to make risk-intelligent decisions that drive performance – optimizing potential upsides as well as minimizing the downside
6. Managing risk cannot be left to periodic meetings, workshops, and assessments. The business runs every day; risks change all the time; and the consideration and management of risk has to match the speed of decision-making
7. RISK MANAGEMENT CANNOT BE A ‘CHECK-THE-BOX-ACTIVITY’ to demonstrate compliance. The true test of risk management is whether management at all levels is able to confirm that information about uncertainty, together with related actions to modify risk, is helping them make better decisions and be more successful

I welcome your comments.