breaking

Tuesday, March 31, 2009

Self-Assessment

The Basic Standard for Enterprise Internal Control mandates that company management set clear goals for themselves (in relation to risk management) and then assess themselves on whether they met these goals. This provides a tremendous opportunity to bring performance management best practices to companies that may not have had exposure to them yet.

The key elements of self-assessment are:

1) That the business and personal goals be clearly defined. SMART (specific, measurable, attainable, realistic and timely) is the most widely-used method for setting and managing objectives today. The idea is that the goals should be based on business needs and be measured and analyzed.

2) The goals should be transparent to others, especially managers. Setting goals in a vacuum does not count. An integral part of self-assessment is sharing your objectives (as well as key metrics, potential challenges, and expected outcomes) with you manager and (if appropriate) others on your team.

3) Collect and analyze business data. This is the hardest part because companies generate so much information that it can be difficult to collect and analyze it (let along make meaningful business decisions!). The data will allow you to make an honest and independent assessment based on the facts.

4) Conduct the self-assessment. This should be based on the original goals and objectives and include as much data as possible.

5) Most companies will follow the self-assessment with a manager assessment, where the manager rates the employee on achievement against the same objectives. The outcome of this process is then a discussion where both sides can review their assessments and discuss the employee’s performance.

6) Some companies also do 360 degree assessments where the employee’s performance is reviewed not just by their manager but also by their peers and other stakeholders. This can yield a more complete picture of actual performance against goals.

While this all seems like a time- and labor-intensive process, there are many ways to automate these steps. Using a system to manage the performance appraisal and self-assessment processes can reduce administrative burdens, give access to more complete performance data, and provide a repository for information throughout the entire year.

Consistency of Communication and its impact on China SOX Compliance

A major failure of internal controls is lack of consistent communication throughout the enterprise. If a company is saying different things to different groups, it is hard to centralize around a common vision and achieve superior business results. Standardizing processes, procedures and training is an important step in the C-SOX journey.

When implementing an enterprise risk management strategy, managers will want to look at the role that internal and external communications play. In a risk-aware company, management is much more sensitive to the messages that are broadcast to employees and strive to make sure that all employees get the same message. This is very important in large or geographically-dispersed organizations where there are risks to messages being “lost in the mail.”

When conducting training across a large company with many offices, it is critical that all employees receive the same level of quality instruction. Otherwise, the company will expose itself to undue risks (in product quality, customer satisfaction and potentially legal and financial risks if there is a problem).

The best way to ensure consistent communication is to train staff on the importance of this topic and to use tools (such as email, corporate intranet and other “push” or broadcast technologies) in company communications. For training, many companies now invest in online education or e-learning programs to ensure consistency and quality of message.

Creating a Culture of Risk Awareness

One of the biggest challenges in implementing C-SOX control effectively is making sure that risk awareness is taken seriously by the entire organization, not just top management or the finance department. This can be especially problematic in organizations that have poor lines of control or do not have the business systems (IT and otherwise) needed to get a clear picture of their operations.

The Basic Standard for Enterprise Internal Control will require a mindset change for many companies in China because they do not currently take a systematic view of operational risk and they may not have the human resources needed to properly implement desired controls. Companies can therefore invest in training and education to increase the level of risk awareness.

This training has several components:

1) Broad training covering topics such as risk management, risk identification, corporate governance, etc.
2) Industry-specific training such as anti-money laundering or fraud awareness, health and safety, or data privacy.
3) Training of specific company policies, processes and procedures related to lines of business.

To effectively create a corporate culture where risks are identified and properly managed, all three types of training have to take place, and management has to be willing to sponsor and fund the training. This means not only holding training classes, but also assessing knowledge and skills of the participants, reinforcing key messages and behaviors and keeping risk as a top priority for the business.

Proper implementation of internal controls is a multi-year process that will require efforts throughout the company. Management teams need to make sure they have all the resources needed to finish the process.

Wednesday, March 18, 2009

Safety training after CCTV fire

We’re been receiving several requests about fire safety training after the incident in the hotel at the CCTV complex in Beijing (luckily the building was empty). It looks like fire safety is getting a higher profile these days, which is a good thing. I have also noticed that fire extinguishers and exit signs are now more prominent around Beijing.

The courses that we have been proving most popular with customers these days are Fire extinguisher safety, Fire Prevention and Safety and Egress and Emergency Actions Plans.

China SOX intro

China Securities Regulatory Commission, the National Audit Office, China Banking Regulatory Commission and China Insurance Regulatory Commission have jointly announced the Basic Standard for Enterprise Internal Control, which requires listed Chinese companies to comply from 1 July, 2009 onward.

The new rule requires listed companies to conduct self-evaluation of their internal controls, disclose an annual evaluation report and employ qualified agencies to audit the effectiveness of the controls. The Basic Standard is intended to bring stronger corporate governance to China's listed companies, and is often compared to the Sarbanes-Oxley law in the US. Hence the nickname "China SOX" or simply C-SOX.

The Basic Standard will have a direct impact on over 900 companies listed on the Shanghai Stock Exchange and about 800 companies listed on the Shenzhen Stock Exchange, so it will be broadly felt in the Chinese corporate environment. Also, unlisted large and medium–sized Chinese companies are encouraged to adopt the standard. My estimate is that over 2,000 listed and state-owned companies will need to comply with the Basic Standard in 2009.

There's lots of work going on right now by product and service providers to launch C-SOX solutions before the compliance deadline. Stay tuned…


Vast Talent's C-SOX resources can be found here: http://www.vast-talent.com/en/compliance_solution_for_china_basic_standard_for_enterprise_internal_control_csox.html