Navigating the evolving GRC landscape - PwC€¦ · profile • Lacks transparency and connectivity...
Transcript of Navigating the evolving GRC landscape - PwC€¦ · profile • Lacks transparency and connectivity...
Navigating the evolving GRC landscape
www.pwc.co.uk
The Royal Institution
14 June 2018
Mark O’Sullivan (Corporate Reporting)Matt Elkington (Governance, Risk & Compliance)James Smither (Governance, Risk & Compliance)School of Mines
Outline of presentation
This publication has been prepared for general guidance on matters of
interest only, and does not constitute professional advice. You should not act
upon the information contained in this publication without obtaining specific
professional advice. No representation or warranty (express or implied) is
given as to the accuracy or completeness of the information contained in this
publication, and, to the extent permitted by law, PricewaterhouseCoopers
LLP, its members, employees and agents do not accept or assume any
liability, responsibility or duty of care for any consequences of you or anyone
else acting, or refraining to act, in reliance on the information contained in this
publication or for any decision based on it.
© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document,
“PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in
the United Kingdom) which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.
01 Setting the scene: why GRC matters in mining
02Getting Governance right
04Staying on top of Compliance
03 Delivering Risk insight
The interaction of Governance, Risk and Compliance
3
A growing focus of corporate governance regimes and investors
Especially critical in the mining sector due to the range and severity of above- and below-ground risks faced
Increasingly in the spotlight following a series of corporate scandals in the UK
Growing focus on how well companies are balancing the interests of different stakeholders
Increasing UK and global regulatory burden, in which the firm itself can be a criminal actor
Growing complexity of the extended mining enterprise (JVs, contractors, value chain, marketing and trading) generates a tougher compliance challenge
Governance
RiskCompliance
The system of rules, practices and processes by which a firm is directed and controlled
The process by which the firm identifies, analyses and takes appropriate steps to
manage the uncertainties to which it is subject
Activities undertaken by the firm to ensure that its operations remain in accordance with legislation and industry-specific regulations
FCA fines mining company £4.65m for listing violationsJune 2015
Why does this matter?
4
Senior executives sacked over $10.5m consultancy payment linked to Africa mineNovember 2016
Miner’s London listing sage “a debacle of corporate governance”
August 2013
Data breach underlines need for supply chain
cyber security May 2017
$2.4bn fine for
sanction breaches
and money launderingDecember 2012
Corporate governance: winds of change
External expectations surrounding, and scrutiny of, how UK companies govern themselves is growing exponentially. Having a compelling story to share with stakeholders has rarely been more important.
Existing requirements
V2014 UK Corporate Governance Code and 2006 UK Companies Act section 172 non-financial reporting requirements
An evolving discourse
Following on from modern slavery statements, disclosures on social mobility are the new focus area
Incoming changes
Changes to the Corporate Governance Code: particular focus on greater stakeholder participation in how companies’ governance and strategy
New obligations
March 2018 London Stock Exchange announcement that all AIM-listed companies will need from 28 September to report on their application of a recognised corporate governance code
5
The risk landscape continues to evolve
6Source: 21st PwC Global CEO Survey
Although in extractives firms, HQ and overseas views ofwhat matters most often varies…
7
HQ priority risks
• Commodity prices
• Product quality for major customers
• Capital project discipline
• Health and safety
• Major environmental contamination incident
Central America
• Extortion from organised crime groups
• Community dispute over land use and access
North America
• Regional government permitting for new logistics arrangements
• Increasingly stringent enforcement of safety regulations
South America
• Legal dispute over commercial property ownership
Former Soviet Union
• Civil conflict
• Non-refund of VAT paid on imported equipment
Central Asia
• Fraud and nepotism in procurement team
Sub-Saharan Africa
• Major tropical disease outbreak
• Government pressure to finance social development activity
Eastern Europe
• Transfer pricing investigation
North Africa
• Terrorism
• Creeping expropriation
Does risk management add value or just bureaucracy?Delivering risk insight
8
Risk foresight
Early spotting of emerging threats and opportunities that could impact strategy delivery
01Risk oversight
Achievement of the right balance of risk-taking behaviours in key decision-making moments
02Risk hindsight
Assurance that the system of risk management and internal control across the Group is effective
03
Internal Audit2LOD functions
Risk
• Horizon scanning • Scenario planning• Strategic resilience
• Risk appetite articulation• Risk tolerance parameters• Key Risk Indicators (KRIs)
• Key risks and controls assurance• ERM effectiveness and culture insight• Continuous improvement of 3LOD
Led by…
DATAEnabled by…
Risk appetite articulation continues to be key area of focus in ERM
9
A
Starting-point
The organisation’s main areas of risk
How appetite is derived
A simple scale (e.g. 1 = averse; 5 = hungry) or
Derivation from risk assessment (impact + likelihood = acceptable or unacceptable)
Key attributes
• Minimal discussion / debate required
• Changes driven largely by risk profile
• Lacks transparency and connectivity with performance management / upside
• Does not provide detailed guidance to inform decision-making at operational levels of the company
Outputs
A high-level summary of the scoring of risk areas or
identification of specific risks that are/are not deemed acceptable by the Board
The usual approach…
Our approach…
A
Starting-point
The key value drivers inherent to executing the organaistion’s strategy
How appetite is derived
Analysis of which business activities, decision points, cultural and environmental factors drive risk taking behaviors and exposure levels in practice
Key attributes
• Requires engaged debate/challenge (senior management, Exec and Board)
• Evolves in line with the strategy, and will be influenced by changes in the external and internal business environment
• Transparent, measurable and leverages data. Explicit linkage to performance and reward
• Directly informs operational decision-making
Outputs
Directional/advisory ‘Board level’ risk appetite statements
Operational tolerance thresholds in KRIs -define the limits of acceptable risk-taking and trade-offs in the context of risk drivers, and enable predictive monitoring
BAD PRESS
The compliance challenge: navigating an increasingly complex global regulatory landscape
10
The rapidly changing regulatory and compliance environment provides both threats and opportunities. Global organisations are utilising governance and compliance proactively to pursue strategic objectives to add value to the wider organisation.
UK Bribery Act (2010)
UK Modern Slavery Act
(2015)
UK Criminal Finances
Act (2017)
UK legislation
EU legislation (in place)
PAY A FINE
GO TO JAIL
EU legislation (incoming)
Sanctions and trade controls
EU anti-trust
regulations
Global regulations and standards
Criminal liability for economic
crime
Market abuse
regulations
General Data
Protection Regulation
Anti-corruption legislation
Human rights due diligence
4th and 5th
Anti-Money Laundering Directives
Network and Information
Systems Directive
Case study: building a robust compliance environment
11
Development and roll-0ut of CODE OF CONDUCT
Leadership ADVOCACY and role-modelling
Articulation of VALUES
Assessment of RISKS
WHISTLEBLOWING
A step-by-step solution to integrating a compliance mindset across an organisation….
Conclusion: pulling all the levers
Embedding a high-performing GRC framework uses the full range of available levers and enablers:
• Values that encourage positive and discourage negative behaviours in relation to risk and compliance
• A governance model that places the emphasis on leaders participating fully in risk management and compliance and regularly communicating their importance
• Policies and controls that explicitly address the management of the key risks facing the business
• Performance and reward systems that appropriately identify, promote, reward (or penalise) leaders for the risk management attributes they exhibit
• An Internal Audit function that uses a flexible and proactive, fully risk-based approach
• Full exploitation of technology to enhance controls, risk monitoring, assurance and risk reporting activities
• Alignment of governance, risk management and compliance with organisational resilience (e.g. crisis management and business continuity planning) 12
GRC
Questions to ask at HQ about GRC around the firm
Do all of our people really understand their roles and responsibilities around risks and control?
What evidence do we rely on? Is this consistently applied across the board?
What is the scope for automation, better leverage of data, and cost reduction?
How do we know our controls are effective in every location? How can we evidence that?
Is assurance delivered in the right places and at the right time?
Is there scope for greater commonality and standardisation across geographies?
Does everyone across the organisation know what our desired risk-taking approach is? How can we track this?
Does our controls environment deliver predictable, stable outcomes regardless of location?
Do we know what our key risks and controls actually are across the full footprint of our business?
Is our risk management framework truly effective at identifying and escalating significant risks across all of our territories?
Do our lines of defence operate effectively in relation to each other?
How can we visualise our control environment?
13
This presentation has been prepared for the PwC School of Mines 2018 for general guidance on matters of interest only, and does not constitute professional
advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express
or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,
PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of
you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2018. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International
Limited, each member firm of which is a separate legal entity.