Please enable JavaScript.
Coggle requires JavaScript to display documents.
Category 4: Governance Functional Areas - Coggle Diagram
Category 4: Governance Functional Areas
Risk Governance
Principle11.The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives
The GB should delegate the implementation and effective risk management to management
The GB should exercise ongoing oversight and ensure that it results in the following outcomes:
a. The triple context and the capitals that the organisation uses must be assessed for risks and opportunities
b. For the risks with potentially negative effects on organisational goals - an assessment of the upside (opportunity) that goes with the risk
c. An assessment of the level of the organisations dependence on the various forms of capital
d. Design and implement appropriate risk responses
e. Business continuity arrangements (if the organisation is exposed to a sudden shock / volatile conditions - how will it withstand these and recover from them)
f. The integration of risk management into daily business activities
The GB should evaluate and agree on the risk exposure it is willing to take in reaching it's strategic objectives:
b. the maximum potential loss that the organisation will tolerate
a. risk appetite
The GB should consider a periodic independent assurance on the effectiveness of risk management (get it audited)
GB must approve a policy that gives effect to its direction to address and approach
Disclosure:
Nature and extent of risks and opportunities that the organisation is willing to take (without compromising senstitive information)
GB should treat risks as an integral part of all its decisions and duties
Disclosure:
a. overview of mechanisms for governing and managing risk
b. key focus areas during period under review - objectives, key risks, undue, unexpected or unusual risks and risks taken outside of the risk tolerance levels
c. how the organisation monitors the effectiveness of risk and how the outcomes are addressed
d. Planned future focus areas
The GB should take responsibility for governance of risk by setting the direction for how it should be approached and addressed in the organisation. This should include:
b. potential positive and negative effects of those risks on the ahievement of organisational obejctives
a. opportunities and associated risks that were considered when the strategy was set
Information and Technology Governance
Principle12. The governing body should govern information and technology in a way that supports the organisation in setting and achieving its
strategic objectives
The GB should oversee management and ensure that it results in:
a. integration of people, technology, informationn and processes across the organisation
b. integration of technology and informaiton risks into organisation-wide risk management
c. arrangements for business resillience (business continuity)
d. monitoring of intelligence relating to safety of technology and information (hacking, cyber attacks, negative social media events)
e. management of third parties that any info or tech related services are outsourced to
f. an assessment of the value to the organisation of investments in technology and information
g. responsible disposal of obsolete technology
h. ethical and responsible use of technology and information
i. compliance with relevant laws
The GB should oversee management of information and make sure that the following happens:
a. proper leveraging (optimal use) of information to sustain and enhance the organisation's intellectual capital
b. An information architecture that supports confidentiality, integrity and availability of information (that means the way that it is designed and built - servers, passwords, the way files are named and stored etc)
c. The protection of privacy of personal information
d. The continual monitoring of security information
The GB should delegate the implementation and effective management of tech and info to management
The GB should oversee management of technology and make sure that the following happens:
a. a technology architecture that enables the achievement of strategic objectives
b. the management of risks relating to sourcing of technology
c. monitoring and responding to developments in technology (staying up to date with new technology and with the treats) - including management of opportunities and disruptive effects on the organisation and its business model
The GB should approve policy that gives affect to the direction
The GB should consider periodic independent assurance on the effectiveness of technology and information management arrangements
The GB should take responsibility for governance of technology and information by setting the direction for how it should be approached and addressed in the organisation
Disclosure:
a. overview of mechansisms, policies etc
b. key focus areas for the year
c. monitoring and how outcomes were addressed
d. planned future focus areas
Compliance Governance
Principle13. The GB should govern compliance with applicable laws and adopted, non-binding rules, codes and standards in a way that supports the organisation in being ethical and a good corporate citizen
The GB should oversee management and ensure that it results in:
a. compliance being understood for both obligations it creates and rights and protections it affords
b. compliance management taking an holistic view of how laws and regulations relate to each other
c. Continual monitoring of the regulatory environment and appropriate responses to changes and developments
The GB should consider periodic independent assurance on the effectiveness of compliance management arrangements
The GB should delegate the implementation and execution of effective compliance to management
Disclosure:
a. overview of mechansisms, policies etc
b. key focus areas for the year
c. monitoring and how outcomes were addressed
d. planned future focus areas
The GB should approve policy that gives affect to the direction
Further disclosure:
Details of any environmental inspections done, any findings raised or criminal sanctions imposed as a result
The GB should take responsibility for governance of compliance by setting the direction for how it should be approached and addressed in the organisation
Further disclosure:
Material (in amount or in significance) or repeated penalties, sanctions and fines imposed on organisation or GB or officers
Remuneration Governance
Principle 14. The GB should ensure that the organisation remunerates fairly, responsibly and transparently so as to promote the achievement of strategic objectives and positive outcomes in the short, medium and long term
Remuneration report
About
Three parts to the report:
a. Background statement
b. Overview of main policy provisions
c. Implementation report - details of all remuneration awarded to individual members of the GB and executive management
Overview of remuneration policy: The overview should be of the main provisions of the policy, the objectives of the policy and how the policy is supposed to achieve these objectives. This includes:
a. the elements of remuneration (basic, benefits, commissions, allowances etc), and the principles on which the remuneration of executive management is based. This should also be done for other employees but at a high level
b. any obligations to make termination payments to executive management (as per their employment contracts)
c. description of the performance evaluation process and measures used to evaluate the performance of executive management
d. A comparison showing what, in total, the remuneration payable to executive management would be if they performed under target (minimum), on target, or above target
e. An explanation of how the policy addresses fair and responsible remuneration for executive management (when compared to overall employee remuneration)
f. What remuneration benchmarks were used and why
g. The basis for setting the fees for non-executive directors
h. an electronic link to the website where the full remuneration policy can be accessed by the public
Implementation report: This report includes the remuneration disclosures as required by the Companies Act. The report should also include:
a. The remuneration of each member of executive management, which should be broken down into:
i. the total of remuneration received/receivable (still due) for the period and a breakdown of that into the elements that comprise it
ii. If any awards were made to them based on variable incentive schemes in the current year or past periods that the company has not yet settled or paid to them, details of what those awards were - number of awards, values at the date of the award (when it was made), the dates when they should receive them or must take them up by (vesting dates/expirty dates) and what the fair value is at the end of the year under review (we're talking about things like share ownership incentive schemes etc here, or bonuses payable based on performance (variable) etc)
iii. For the above, those that were actually paid or settled in the current year, the cash value of those awards
b. An account of the performance measures used for each member of management, what their weighting and scores were - that were used to make the variable remuneration incentive scheme awards
c. Disclosure of termination payments - to whom and for what reason and how much
d. A statement saying that the policy has been complied with, or it not, where the organisation has deviated from the policy
Background statement: 1. Provides context for remuneration considerations and decisions relating to:
a. internal and external influences
b. most recent results of the voting on the policy and implementation report
c. key focus areas and key decisions taken by the remuneration committee
d. whether remuneration consultants have been used
e. views of the remuneration committee on whether the policy achieved its objectives
f. future focus areas
Remuneration policy
The remuneration policy must be designed to achieve the following objectives:
a. to attract, motivate, reward and retain human capital
b. to promote the achievement of strategic objectives within the organisation's risk appetite
c. to promote positive outcomes
d. to promote an ethical culture and responsible corporate citizenship
The GB should approve policy that gives affect to the direction
The policy should address all levels of remuneration in the organisation (organisation-wide) and specifically:
a. ways to ensure that executive remuneration is fair and responsible in the context of overall employee remuneration
b. the use of performance measures that support positive outcomes accross the triple context and capitals
c. The process for voting on the policy and related reports (discussed further below)
The GB should take responsibility for governance of remuneration by setting the direction for how it should be approached and addressed in the organisation
The policy should address all elements of remuneration offered:
a. base salary - financial and non-financial benefits
b. variable remuneration
c. payments on termination
d. sign-on, retention and restraint payments
e. provisions for forfeiture, if any
f. commissions and allowances
g. fees for non-executive GB members
The GB should oversee that the implementation and execution of the policy does achieve the objectives
Voting on remuneration (only applicable to an organisation with shareholders)
The remuneration policy should include the process or steps to be taken by the GB if, when voting happens, either one or both of these are not approved by at least 75% of the shareholders. These steps should include:
ii. how they will address any concerns raised in i. above - as long as the concerns are legimitate and reasonable concerns. This may include a change in the remuneration policy or the processes around remuneration governance. (Or it may not - it may be a matter of different communication/consultation or more information)
i. a process of engagements (meeting/discussion etc) to find out the reasons for the disagreement votes
The remuneration policy and implementation report should be tabled every year for separate, non-binding advisory votes by the shareholders at the AGM
The Companies Act says that fees for non-executive directors must be submitted for approval by a special resolution of shareholders within 2 years before the payment is made.
DISCLOSURE: If there are not at least 75% "for"votes, the following must also be disclosed:
a. engagements to determine reasons for disagreement: with whom, in what way and form
b. the nature of the steps taken to address legitimate and reasonable objections and concerns
Assurance
Principle 15. The GB should ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the organisation's external reports
Assurance of external reports
The GB should make sure it's happy that the combined assurance model is effective and sufficiently robust for them to place reliance on the results / reports coming out of the process
The direction should consider legal requirements and the following additional considerations:
a. whether assurance must be obtained through the underlying data or through processes to prepare reports or to both
b. whether the nature, scope and extent of assurance are suited to the intended audience and purpose of a report
c. what criteria are going to be used to measure the underlying subject matter of a report
External reports, over and above the actual audit report from the assurance provider, must also include the following from the GB:
a. a description of the nature, scope and extent of assurance functions, services and processes underlying the preparation and presentation of the specific report
b. a statement re the integrity of the report and why it says so
The GB should take responsibility for the integrity of external reports by setting the direction for how assurance on these reports should be approached
Internal audit
GB to approve the appointment of the CAE (contract, remuneration, skills and competence)
CAE to have direct access to the chair of the audit committee (independence reasons)
If a CAE (Chief audit executive) position is provided for, GB must ensure that this position is set up to function independently of management and carries the necessary authority
CAE must not be an executive management member (independence reasons)
GB must ensure that IA has the necessary skills and resources to address the complexity and volume of the risks faced by the organisation, and supplement IA with the necessary specialist services as required
CAE role to be clarified when IA services are co-sourced or out-sourced
The GB should approve the internal audit charter defining roles and responsibilities and authority of internal audit
CAE to report to AC chair on activities of the IA function - performance of duties that relate to IA. For other matters, (admin), report to executive management
The GB should take responsibility for the integrity of internal information by setting the direction for what internal audit arrangements are needed to provide objective and relevant assurance that adds to the effectiveness of governance, risk management and control processes. The oversight for this should be delegated to the audit committee.
GB's responsibility to remove the CAE
GB to monitor on an ongoing basis that IA:
b. reviews the organisational risk profile regularly and adapts audit plan as necessary
a. follows an approved risk-based audit plan
IA to provide a statement annually about the effectiveness of the organisation's governance, risk management and control processes
The GB should obtain an annual declaration from the CAE that the IA conforms to recognised industry code of ethics
About
The GB should satisfy itself that a combined assurance model is applied which includes and makes the most efficient use of the various sources of assurance - external, internal, forensic etc
The combined assurance model should cover all the significant risks and material matters through a combination of the following:
a. line functions in the organisation that own and manage risk (user departments)
b. organisation's specialist functions that oversee risk management and compliance
c. internal auditors (auditors, fraud examiners, safety assessors, actuaries etc)
d. Independent external assurance providers (external auditors)
e. Other external assurance providers (eg environmental auditors, actuaries, fraud examiners)
f. Regulatory inspectors
The GB should take responsibility for assurance by setting the direction for arrangements for assurance services and functions. It should delegate the responsibility to the audit committee to make sure that the following objectives are achieved:
a. enabling an effective internal control environment
b. supporting integrity of information used for internal decision-making
c. supporting intergrity of external reports
GB and sub-coms should assess the output of the combined assurance with objectivity and professional skepticism and form their own opinion on the integrity of internal and external information and the degree to which an effective control environment has been achieved.