Presentation by Vincent Tophoff, IFAC Senior Technical Manager and J. Stephen McNally, Campbell Soup Company Finance Director and Comptroller at the IMA Annual Conference and Exposition, June 2014
5. Serious RM/IC Flaws
• Having a compliance-only mentality
• Treating risk as only negative and overlooking idea that
organizations need to take risk in pursuit of their
objectives
• RM/IC that is overly focused on external financial
reporting
• Regarding RM/IC as a separate function or process
• Viewing risk management as predominantly important for
operations
6. Bad vs. Good RM/IC Practices
RM/IC as objective in itself vs. RM/IC to help achieve objectives
Auditor / staff driven vs. Driven from top down
Rules-based vs. Performance & principles-based
Off-the-shelf systems vs. Tailored to the organization
Focused on loss minimization vs. Also focused on value creation
Mainly hard controls vs. Recognizing culture & attitude
Imposed vs. Implemented organically
Stand-alone / “bolt-on” vs. Integrated / ”built-in”
Static, out-of-date vs. Dynamic, evolving
Seen as overhead vs. Seen as a sound investment
Abandoned vs. Integrated in governance
11. COSO ERM vs. ISO 31000
Many entities use both COSO ERM & ISO 31000…
… Biggest challenge is that concepts are not aligned
COSO ISO 31000
Lengthy vs. Short
Focused on ERM vs. General approach to managing risk
One cube vs. Principles, framework & process
Skewed to negative vs. Risk can be positive or negative
Risk already exists vs. Risk tied to achieving objectives
Risk & opportunities vs. Opportunities also source of risk
More sequential process vs. More iterative process
12. Relation of Governance, RM & IC
• How do you think that
governance, risk
management, and
internal control are
related to each other?
15. • Is not to have effective
controls…
• Is not to effectively manage
risk…
But to
• Properly set & achieve your
objectives
• Avoid too many surprises
along the way
• And create sustainable value
Main Objective of RM/IC
16. Governance comprises the
arrangements (plan, do, check,
and act) put in place to ensure
that the intended objectives are
defined and achieved
• RM/IC are integral part of
that!
RM/IC Integral Part of Good Governance
20. • Use the Frameworks
• Consider good practice developments
• Perform gap analysis
• Determine performance
• Look at audit results
• Analyze serious flaws
• …
• Continuously move to improvement!
Thoughts on Assessing RM/IC Maturity
21. Table Discussions
• What is the maturity of risk
management & internal
control at your
organization?
25. My Challenge
• First CFO Protocol ever completed
• No specific guidance/ expectations
• Cross-functional/ multi-location team
• No “big picture” flow diagram and/or procedural
documentation
• No defined risks/ internal controls
CFO Protocol: N/A Co-Manufacturing Operations
26. Our Scope
In-Scope
Oversight activities to:
• Identify
• Select; and
• Manage
ongoing co-manufacturing
partner relationships
Out-of-Scope
• Co-manufacturing
partners themselves
• Non-CNA businesses:
o Canada
o Latin America
o Pepperidge Farm
• Special pack business
28. Co-Manufacturing Processes
• New partner selection & contracts
• Supply Base Quality System Assessments
• Formula management & mock recalls
• Cost standards & inventory management
• Capital investments & fixed assets
• Business continuity planning
• Other
29. Entity Structure = CFO Protocol Scope
Entity
Structure
Components
CNA Co-Mfg. Operations
• Campbell Soup Company
o Campbell North America
U.S. Retail
CNA Supply Chain
‒ Napoleon Plant
• Global Procurement
• Other: Legal, Quality, etc.
33. Components: Event Identification
Entity
Structure
Components
In terms of internal & external
events… What could stop us
from achieving our
objectives?
Co-Mfg Risks:
- Product quality
- Partner’s financial stability
- Formula management
- Business continuity
36. Components: Control Activities
Entity
Structure
Components
What policies & procedures
should be established to
manage the risks as desired?
Co-Mfg. Controls:
- Quality audits & mock recalls
- Co-Man & D&B reporting
- Formula Management
- Annual BCP review & testing
37. Components: Information & Communication
Entity
Structure
Components
How will we obtain information
and communicate? What
information is relevant to
enable people to carry out their
responsibilities?
Co-Mfg:
- Partner relationship manager
- Cross-functional team
meetings
- Standardized reporting
38. Components: Monitoring
Entity
Structure
Components
How will we know we achieved
what we wanted to
accomplish? What ongoing
management activities and/or
separate evaluations can we
leverage?
Co-Mfg:
- Quarterly business reviews
- CFO protocol visit(s)
- Internal audits
- SAS 70
40. • Serious RM/IC flaws
• Frameworks and guidance can help
• Climbing maturity ladder through continual improvement
• Companies like Campbell’s are on this journey
• What about you and your organization?
Recap
41. Effective RM/IC & You
• How could you more
effectively leverage risk
management & internal
control within your
organization?
42. • Build subject-matter-expertise regarding frameworks,
standards & other guidance
• Educate audit committee, C-suite, operating unit &
functional management
• Support line management through provision of high-quality
information
• Establish good RM/IC for the finance function
• Champion importance of continuous RM/IC improvement
Management Accountant: Call to Action
43.
44. 10 Paragon Drive, Suite 1
Montvale, New Jersey
07645-1760
U.S.A.
(800) 638-4427
+1 (201) 573-9000
www.imanet.org
10 Paragon Drive, Suite 1
Montvale, New Jersey
07645-1760
U.S.A.
(800) 638-4427
+1 (201) 573-9000
www.imanet.org