Corporate Governance

A. Introduction to Corporate Governance

Expected Learning Outcomes

➢ Describe what governance involves
➢ Enumerate the different contexts in which governance can be applied
➢ Name and explain the characteristics of good governance
➢ Explain the meaning, purpose, and objectives of good governance
➢ Know and describe the principles of effective good corporate governance
➢ Understand how principles of good corporate governance can be applied

What is Corporate Governance?

Corporate governance is the system by which companies are directed and controlled.
Corporate Governance Explained

Governance
- a process whereby elements in society wield power, authority, and influence and enact
policies and decisions concerning public life and social upliftment.
- The process of decision-making and the process by which decisions are implemented
(or not implemented) through the exercise of power or authority by leaders of the
country and/or organization.
- Several contexts such as corporate governance, international governance, national
governance, and local governance.

Good Governance
❖ Participation
➢ By both men and women, ages, social status
➢ Either direct or through legitimate institutions or representative
➢ Informed and organized
➢ Freedom of association and expression on one hand and an organized civil
society on the other hand
❖ Follows Rule of Law
➢ Fair legal framework that is enforced impartially.
➢ Full protection of human rights, particularly those of minorities
➢ Impartial enforcement of laws requires an independent judiciary and an impartial
and incorruptible police force
❖ Transparency
 ➢ Decisions taken and their enforcement are done in a manner that follows rules
and regulations
➢ Information is freely available and directly accessible to those who will be
affected by such decisions and their enforcement
➢ Enough information is provided and that it is provided easily understandable
forms and media
❖ Responsive
➢ Requires that institutions and processes try to serve the needs of all
stakeholders within a reasonable timeframe.
❖ Consensus Oriented
➢ Requires meditation of the different interests in society to reach a broad
consensus on what is in the best interest of the whole community and how this
can be achieved
➢ Broad and long-term perspective on what is needed for sustainable human
development and how to achieve the goals of such development
➢ Understanding the historical, cultural and social contexts of a given society or
community
❖ Equitable and Inclusive
➢ Ensures all its members feel that they have a stake in it and do not feel excluded
from the mainstream of society
➢ All groups, but particularly vulnerable, have opportunities to improve or maintain
their well being
❖ Efficiency and Effectiveness
➢ Produce results that meet the needs of society while making the best use of
resources at their disposal
➢ Sustainable use of natural resources and the protection of the environment
❖ Accountability
➢ Accountable to those who will be affected by its decisions or actions
➢ Cannot be enforced without transparency and the rule of law

Corporate Governance
- Ensure the accountability of certain individuals to an organization.
- A system whereby shareholders, creditors and other stakeholders of a corporation are
assured that management enhances the value of the corporation as it competes in an
increasingly global marketplace. - SEC
- Organization for Economic Cooperation and Development (OECD)
- as the system by which business corporations are directed and
controlled..
- specifies the distribution of rights and responsibilities among different
participants in the corporation.
- spells out the rules and procedures for making decisions on corporate
affairs.
- provides structure through which the company sets its objectives, and
the means to attain objectives and monitor performance.
Principles of corporate governance
The purpose of corporate governance is to facilitate effective entrepreneurial and prudent
management that can deliver long-term success of the company.

Main Principles:
● Leadership
● Division of responsibilities
● composition , succession and evaluation
● Audit, risk and internal control
● Remuneration

Objectives of Corporate Governance

➢ Fair and Equitable Treatment of Shareholders
○ All shareholders deserve equitable treatment
➢ Self-Assessment
○ Enables to assess their behavior and actions before they are scrutinized by
regulatory agencies
○ Successfully point out deficiencies in the company operations and help solve
issues internally on a timely basis
➢ Increase Shareholders’ Wealth
○ Protect the long-term interests of the shareholders
➢ Transparency and Full Disclosure
○ Higher degree of transparency by encouraging full disclosure of transactions in
the company accounts

Basic Principles of Effective CG

➢ Transparent
➢ Protects the rights of shareholders and includes both strategic and operational risk
management
➢ Concerned in both long-term earning potential as well as actual short-term earnings
➢ Holds directors accountable for their stewardship of the business

Transparency Accountability
Are the boards telling us ● Is the board taking
what is going on? responsibility?

Good, effective governance

 Corporate Control
Is the board doing the right thing?
Positive answers to the following questions indicate a firm’s conformance and compliance with
the basic principles of good corporate governance

Transparency and Full Disclosure

- Does the board meet the information needs of investment communities?
- Does it safeguard integrity in financial reporting?
- Does the board have sound disclosure policies and practices?
- does it make timely and balanced disclosure?
- can an outsider meaningfully analyze the organization’s actions and
performance?

Accountability
- Does the board clarify its role and that of management?
- Does it promote objective, ethical and responsible decision making?
- Does it lay a solid foundation for management oversight?
- Does the composition mix of board membership ensure an appropriate range and mix
of expertise, diversity, knowledge and added value?
- Is the organization’s senior official committed to widely accepted standards of correct
and proper behavior?

Corporate Control
- Has the board built long-term sustainable growth in shareholders value for the
corporation?
- Does it create an environment to take risk?
- Does it encourage enhanced performance?
- Does it recognize and manage risk?
- Does it remunerate fairly and responsibly?
- Does it recognize the legitimate interests of stakeholders?
- Are conflicts of interest avoided such that the organization’s best interests prevail at all
times?

The Future of Corporate Governance

➢ May 2001
 ○ Bangko Sentral ng Pilipinas (BSP) issued Circular 283 mandating the adoption
of good corporate governance practices by members of the boards of directors
of banks and non bank financial institutions under its jurisdiction.
➢ April 2002
○ Securities and Exchange Commission (SEC) came out with its Code of
Corporate Governance
○ registered and listed corporations (local and foreign corporation)
➢ July 2002
○ Insurance Commission (IC) promulgated the Code of Corporate Governance for
all life and non life insurance companies and Intermediaries.
➢ June 2004
Energy Regulatory Commission (ERC) launched its program to promote good
corporate governance in distribution utilities.
2009 - SEC revised Corporate Governance
2019 - SEC revised Corporate Governance
2018 - ASEAN Corporate Governance
Soon it will mandated
- to small and medium sized enterprises (SMEs)
- family corporations

Illustrative Application of the Basic Principles of Corporate Governance and Best

Practice Recommendations

Principle of Good Corporate Best Practice Recommendations

Governance

1 A company should lay a solid foundation a. Formalize and disclose the

for management and oversight. It should functions reserved to the board
recognize and publish the respective and those delegated to
roles and responsibilities of board and management
management

2 Structure the board to add value. Have a a. A board should have

board if an effective composition, size independent directors
and commitment to adequately b. The roles of chairperson and
discharge its responsibilities and duties chief executive officer should not
be exercised by the same
individual
c. The board should establish a
nomination committee

3 Promote ethical and responsible a. Establish a code of conduct to

decision-making. Actively promote guide the directors, the chief
ethical and responsible decision-making. executive officer (or equivalent),
the chief financial officer (or
equivalent), and any other key
executives as to
- the practices necessary
to maintain confidence in
the company’s integrity
- the responsibility and
accountability of
individuals for reporting
and investigating reports
 of unethical practices
b. Disclose the policy concerning
trading in company securities by
directors, officers and
employees

4 Safeguard integrity in financial reporting. a. Require the chief executive of

Have a structure to independently verify (or equivalent) and the financial
and safeguard the integrity of the officer (or equivalent) to state in
company’s financial reporting. writing to the board that the
company’s financial reports
present a true and fair view, in
all material respects, of the
company’s financial condition
and operational results and are
in accordance with relevant
accounting standards.
b. The board should establish an
audit committee
c. Structure the audit committee so
that it consists of
- on non-executive or
independent chairperson
- an independent
chairperson, who is not
chairperson of the board
- at least three (3)
members

5 Make timely and balanced disclosure. a. establish written policies and

Promote timely and balanced disclosure procedure designed to ensure
of all material matters concerning the compliance with IFRS
company b. listing rule disclosure
requirements and to ensure
accountability at a senior
management level for
compliance

6 Respect the rights of shareholders and a. Design and disclose a

facilitate the effective exercise or those communications strategy to
rights promote effective
communication with
shareholders and encourage
effective participation at general
meetings
b. Request the external auditor to
attend the annual general
meeting and be available to
answer shareholder questions
 about the audit

7 Recognize and manage risk. Establish a a. The board or appropriate board

sound system of risk oversight and committee should establish
management and internal control policies on risk oversight and
management
b. The chief executive officer (or
equivalent) and the chief
financial officer or equivalent
should state to the board in
writing that
- the statement given in
accordance with best
practice recommendation
(the integrity of financial
statements) is founded
on a sound system of
risk management and
internal compliance and
control which implements
the policies adopted by
the board.
- the company’s risk
management and
internal compliance and
control system is
operating efficiency in all
material respects

8. Encourage enhanced performance, fairly - A disclose the process for

review and actively encourage enhanced performance evaluation of the
board and management effectiveness board, its committee and
individual directors, and key
executives

9 Remunerate fairly and responsibility. a.

Ensure that the level and composition of - provide disclosure in
remuneration is sufficient and relation to the company’s
reasonable and that its relationship to remuneration policies to
corporate and individual performance is enable investors to
defined. understand
- the costs and benefits of
those policies
- the link between
remuneration paid to
directors and key
executives and corporate
performance
b. the board should establish a
 remuneration committee
c. clearly distinguish the structure
of non-executive director’s
remuneration from the
executives
d. ensure that payment of
equity-based executive
remuneration is made in
accordance with thresholds set
in plans approved by
shareholders

10 Recognize the legitimate interests of - A establish and disclose a code

stakeholders. Recognize legal and other of conduct to guide compliance
obligations to all legitimate stakeholders with legal and other obligations
to legitimate stakeholders

B. Corporate Governance Responsibilities and Accountabilities

Expected Learning Outcomes

1. Explain the relevance of good governance to both large publicly-listed companies and
SME’s
2. Know the relationship between shareholders or owners and other stakeholders
3. Identify the parties involved in Corporate Governance
4. Describe the respective broad rate and specific responsibilities of the different parties in
a corporate setting

Responsibility and Accountability

➢ Stakeholders
○ has vested interest in a company
➢ Shareholder
○ has financial interest as partial owner of your company
Difference between a Stakeholder and Shareholder
● Shareholders
- Hold shares in a company i.e. they own part of it
- Investors in the company
- Share in the profits and losses of the company
- Control the decisions of the company
● Stakeholders
- Have an “interest” in the activities of a business
- Do not own or control a business

Know the difference between

➢ Shareholder
- They are owned by the company.
- Shareholders are present only in a company which is limited by shares.
- Shareholders include Equity shareholder and Preference shareholder.
- Shareholders are more concerned with Return on investment.
➢ Stakeholder
- They may not be the owners but have interest in the company’s affairs.
- Every company has stakeholders.
- Stakeholders include - shareholders, Creditors, Government, Customers, Etc.
- Stakeholders are more concerned with the performance of the company.

Authority, Responsibility and Accountability

● Authority - the right to give orders or valid instructions
● Responsibility - this is obligation to achieve certain objectives
● Accountability - this is the obligation to report (give an account) to higher authority for
the discharge of those responsibilities.
● Power - the ability of individuals or groups to influence the beliefs or actions of other
persons or groups and is more complicated than authority.
Accountability
- The duty to ensure a task is completed
- Assigned to just one person
- Results-focused
- Cannot be delegated

Responsibility
- The obligation to complete a task
- Can be shared among a team
- Task-focused
- Can be delegated

Accountability of the Board to the Shareholders

- Financial performance
- Financial transparency - financial statements that are clear with full disclosure and that
reflects the underlying economics of the company
- Stewardship - how well the company protects and manages the resources entrusted to
it
- Quality of internal control
- Composition of the BOD and nature of its activities - information on how well
management, incentive systems are aligned with the shareholder’s best interest.

Management Responsibility
- Choose which accounting principles best portray the economic substance of company
transactions
- Implement a system of internal control that assures completeness and accuracy in
financial reporting
- Ensure that the financial statements contain accurate and complete disclosure

PARTY OVERVIEW OF RESPONSIBILITIES

Shareholders 1. Provide effective oversight through election of board

members
2. Approval of major initiatives such as
- annual reports on management compensation
- buying or selling stocks

Board of Directors 1. The major representative of stockholders to ensure that the

organization is run according to the organization’s charter and
that there is proper accountability
OVERALL OPERATIONS
 a. establishing the organization’s vision, mission, values and
ethical standards
b. delegating an appropriate level of authority to management
c. demonstrating leadership
d. assuming responsibility for the business relationship with
CEO including his or her appointment, succession,
performance remuneration and dismissal
e. overseeing aspects of the employment of the management
team including management remuneration, performance and
succession planning
f. recommending auditors and new directors to shareholders
g. ensuring effective communication with shareholders and
other stakeholders
h. crisis management
i. appointment of the CFO and corporate secretary

Performance a. ensuring the relationship’s long-term viability and enhancing

the financial position
b. formulating and overseeing implementation of corporate
strategy
c. approving the plan, budget, and corporate policies
d. monitoring, assessing assessment, performance of the
organization, the board itself, management and major
projects
e. overseeing the risk management framework and monitoring
business risks
f. monitoring development in the industry and the operating
environment
g. oversight of the organization including its control and
accountability systems
h. approving and monitoring the progress of major capital
expenditure, capital management and acquisition and
divestitures

Compliance / Legal a. understanding and protecting the organization's financial

Conformance position
b. requiring and monitoring legal and regulatory compliance
including compliance with accounting standards, unfair
trading legistrations, occupational health and safety and
environmental standards
c. approving annual financial reports, annual reports, and other
public documents / sensitive reports
d. ensuring an effective system of internal controls exists and is
operating as expected

Non-Executive or The same as the broad role of the entire board of directors
Independent Directors a. to understand the organization, its business, its operating
environment and its financial position
b. to apply expertise and skills in the organization’s best
interests
 c. to assist management to keep performance objectives at the
top of its agenda
d. to understand that his/her role is not to act as auditor, nor to
act as a member of the management
e. to respect the collective, cabinet nature of the board’s
decisions
f. to prepare for and attend board meetings
g. to seek information on a timely basis to ensure that he/she is
in a position to contribute to the discussion when a matter
comes before the board or alert the chairman in advance to
the need for further information in relation to a particular
matter
h. to ask appropriate questions relative to operations

Management Operations and accountability. Manage the organization effectively,

provide accurate and timely reports to shareholders and other
stakeholders
a. recommend the strategic direction and translate the strategic
plan into the operations of the business
b. manage the company’s human, physical and financial
resources to achieve the organization's objective run the
business
c. assume day to day responsibility for the organization;s
conformance with relevant laws and regulations and the
compliance framework
d. develop, implement and manage the organization’s risk
management and internal control framework
e. develop. Implement and update policies and procedures
f. be alert to relevant trends in the industry and the
organization’s operating environment
g. provide information to the board
h. act as consult between the board and the organization
i. developing financial and other reports that meet public,
stakeholder and regulatory requirements

Audit Committee of Provide oversight of the internal and external audit function and the
the BOD process of preparing the annual financial statements as well as
public reports or internal control
a. selecting the external audit firm
b. approving any non-audit work performed by the audit firm
c. selecting and or approving the appointment of the Chief Audit
Executive (internal auditor)
d. reviewing and approving the scope and budget of the internal
audit function
e. discussing audit findings with internal and external auditor the
board and management on specific actions that should be
taken

Regulators Set accounting and auditing standards dictating underlying financial

reporting and auditing concepts, set the expectations of audit quality
 and accounting quality.

a. Board of - Conducting CPA Licensure Board of Examinations

Accountancy - Approving accounting principles
- Interpreting previously issued standards implementing quality
control processes to ensure audit quality
- Educating members on audit and accounting requirements

b. SEC - Ensure the accuracy, timeliness and fairness of public

reporting of financial and other information for public
companies
- Reviewing filling with the SEC
- Interacting with the Financial Reporting Standards Council in
setting accounting standards
- Specifying independence standards required of auditors that
report on public financial statements
- Identifying corporate frauds, investigate causes, and suggest
remedial actions

External Auditors - Perform audits of company financial statements to ensure

that the statements are free of material misstatements
including misstatements that may be due to fraud
- Audit of public company financial statements
- Audit of nonpublic company
- Other service such as tax consulting

Internal Auditors - Perform audits of companies for compliance with company

policies and laws, audits to evaluate the efficiency of
operations, and periodic evaluation and tester of controls
- Reporting results and analysis to management (including
operational management) and audit committees
- Evaluating internal controls

Summary of the Key Principles of Effective CG

1. The board's fundamental objective should be to build long-term sustainable growth in
shareholders value for the corporation.
2. Successful corporate governance depends upon successful management of the
company, as management has the primary responsibility for creating a culture of
performance with integrity and ethical behavior.
3. Effective CG should be integrated with the company’s business strategy and now
viewed as simply a compliance obligation
4. Transparency is a critical element of effective corporate governance and companies
should make regular efforts to ensure that they have sound disclosure policies and
practices
5. Independence and objectivity are necessary attributes of board members. However,
companies must also strike the right balance in the appointment of independent and
non-independent directors to ensure an appropriate range and mix of expertise,
diversity, and knowledge on the board
Effective of Strong CG Structure to External Audit
● Less risky to audit - companies with effective CG are less likely experience fraud
● Quality audit - the EA is strongly committed to provide quality audit when the board and
audit committee adhere to embrace fundamental principles of effective governance
● Reliable financial reporting - the EA can serve as an independent party working with
board and management to help ensure reliable financial reporting

Effective of Weak CG Structure to External Audit

● Risk of fraud is high - audit firm have to bear too much responsibility for assuring
reliable financial reporting
● Not auditable company - ineffective CG increases fraud risk to an extent that at some
point the client is not auditable from a risk-mitigation standpoint.

CORPORATE GOVERNANCE and BOD

What is Corporate Governance?

- Corporate Governance is the system by which companies are directed and controlled

Corporate Governance is the Responsibility of the Board of Directors

It is the Board of directors of each company that is legally responsible for the
governance of the company.
The shareholders' role in corporate governance is to appoint the directors (and the
auditors where required) and to satisfy themselves that an appropriate governance structure is
in place.

Key Responsibilities of the Board of Directors

● Setting the company’s objective and aims
● Determining the strategy to achieve those aims and objectives
● Providing the leadership to put them into effect
● Supervising the management of the business
● Reporting to shareholders on their stewardship of the business

Essential Elements of “Best Practice” Corporate Governance

● The role of CEO and Chairman in public companies should be separated
● Board should have at least three non-executive directors, two of whom should have no
financial or personal ties to executives
● Each board should have an audit committee composed of non-executive directors
 C. Shareholder vs. Stakeholder Theory

Shareholder and stakeholder model

- A shareholder is always a stakeholder in a corporation, but a stakeholder is not always
a shareholder.

Shareholder Theory
➢ The shareholder theory was originally proposed by Milton Friedman and it states that
the sole responsibility of business is to increase profits
➢ It is based on the premise that management are hired as the agent of the shareholders
to run the company for their benefit, and therefore they are legally and morally obligated
to serve their interests.
➢ Stakeholder theory, on the other hand, states that a company owes a responsibility to a
wider group of stakeholders, other than just shareholders.
➢ A stakeholder is defined as any person/group which can affect/be affected by the
actions of a business. It includes employees, customers, suppliers, creditors and even
the wider community and competitors.
➢ Edward Freeman, the original proposer of the stakeholder theory, recognized it as an
important element of Corporate Social Responsibility (CSR), a concept which
recognizes the responsibilities of corporations in the world today, whether they be
economic, legal, ethical or even philanthropic.

Stakeholder
➢ Principal Stakeholders
○ Shareholders
○ Management
○ Board of Directors
➢ Other Stakeholders
○ Employees, suppliers, customers, banks, other lender, regulators, the
environment, and the community at large
OECD Principles of Corporate Governance
➢ The G20 / OECD Principles of Corporate Governance help policy makers evaluate and
improve the legal, regulatory, and institutional framework for corporate governance, with
a view to supporting economic efficiency, sustainable growth and financial stability.
➢ First published in 1999, the Principles have since become the international benchmark.
In 2015, the updated Principles were endorsed by the OECD Council and the G20
Leaders Summit.

F. Differences of Corporate Governance around the World

The Anglo - US Model (Anglo - Saxon Model)

➢ was crafted by the more individualistic business societies in Great Britain and the
United States.
➢ presents the board of directors and shareholders as the controlling parties. The
managers and chief officers ultimately have secondary authority.
➢ Managers derive their authority from the board, which is (theoretically) beholden to
voting shareholders’ approval;
➢ Most companies with Anglo - US corporate governance systems have legislative
controls over shareholders’ ability to assert practical, day-to-day control over the
company.
➢ The capital and shareholder structure are highly dispersed in the Anglo-US markets.
Moreover, regulatory authorities, such as the U.S. Securities and Exchange
Commission (SEC), explicitly support shareholders over boards or managers

The German model, sometimes referred to as the continental model or European model
➢ Is carried out by two groups. The supervisory council and the executive board.
➢ The executive board is in charge of corporate management; the supervisory council
controls the executive board.
➢ The supervisory council is chosen by employees and shareholders. Government and
national interest are strong influences in the continental model, and much attention is
paid to the corporation’s responsibility to submit to government objectives and the
betterment of society.
➢ Banks also often play a large role financially and in decision making for firms.

The Japanese Model

 ➢ Governance patterns take shape in light of two dominant legal relationships; one
between shareholders, customers, suppliers, creditors, and employee unions; the other
between administrators, managers, and shareholders.
➢ There is a sense of joint responsibility and balance to the Japanese model. The
Japanese word for this balance is “keiretsu,” which roughly translates to loyalty between
suppliers and customers. In practice, this balance takes the form of defensive posturing
and distrust of new business relationships in favor of the old.
➢ Japanese regulators play a large role in corporate policies, often because corporations’
major stakeholders include Japanese officials. The central banks and the Japanese
Ministry of Finance review relationships between different groups and have implicit.
➢ Given the interrelationship and concentration of power among the mang Japanese
corporations and banks, it is also not surprising that corporate transparency is lacking in
the Japanese mode. Individual investors are seen as less important than business
entities, the government, and union groups.

REVISED CODE OF CORPORATE GOVERNANCE

Pursuant to its mandate under the Securities Regulation Code and the Corporation Code, the
Securities and Exchange Commission (the “Commission”), in a meeting held on June 18,
2009, approved the promulgation of this Revised Code of Corporate Governance (the
“Code”) which shall apply to registered corporations and to branches or subsidiaries of
foreign corporations operating in the Philippines that

(a) sell equity and/or debt securities to the public that are required to be
registered with the Commission, or
(b) have assets in excess of Fifty Million Pesos and at least two hundred
(200) stockholders
(c) who own at least one hundred (100) shares each of equity securities, or
whose equity securities are listed on an Exchange; or
(d) are grantees of secondary licenses from the Commission.

Article 1: Definition of Terms

a) Corporate Governance – the framework of rules, systems and

processes in the corporation that governs the performance by the
Board of Directors and Management of their respective duties and
responsibilities to the stockholders;
b) Board of Directors – the governing body elected by the stockholders
that exercises the corporate powers of a corporation, conducts all its
business and controls its properties;

c) Exchange – an organized market place or facility that brings together

buyers and sellers, and executes trades of securities and/or
commodities;

d) Management – the body given the authority by the Board of Directors

to implement the policies it has laid down in the conduct of the
business of the corporation;

e) Independent director – a person who, apart from his fees and

shareholdings, is independent of management and free from any
business or other relationship which could, or could reasonably be
perceived to, materially interfere with his exercise of independent
judgment in carrying out his responsibilities as a director;

f) Executive director – a director who is also the head of a department

or unit of the corporation or performs any work related to its
operation;

g) Non-executive director – a director who is not the head of a

department or unit of the corporation nor performs any work related to
its operation;

h) Non-audit work – the other services offered by an external auditor to

a corporation that are not directly related and relevant to its statutory
audit functions, such as, accounting, payroll, bookkeeping,
reconciliation, computer project management, data processing, or
information technology outsourcing services, internal audit, and other
services that may compromise the independence and objectivity of an
external auditor;

i) Internal control – the system established by the Board of Directors

and Management for the accomplishment of the corporation’s
objectives, the efficient operation of its business, the reliability of its
financial reporting, and faithful compliance with applicable laws,
regulations and internal rules;

j) Internal control system – the framework under which internal controls

are developed and implemented (alone or in concert with other
 policies or procedures) to manage and control a particular risk or
business activity, or combination of risks or business activities, to
which the corporation is exposed;

k) Internal audit – an independent and objective assurance activity

designed to add value to and improve the corporation’s operations,
and help it accomplish its objectives by providing a systematic and
disciplined approach in the evaluation and improvement of the
effectiveness of risk management, control and governance processes;

l) Internal audit department – a department or unit of the corporation

and its consultants, if any, that provide independent and objective
assurance services in order to add value to and improve the
corporation’s operations;

m) Internal Auditor – the highest position in the corporation responsible

for internal audit activities. If internal audit activities are performed by
outside service providers, he is the person responsible for overseeing
the service contract, the overall quality of these activities, and
follow-up of engagement results.

Article 2: Rules of Interpretation

A) All references to the masculine gender in the salient
provisions of this Code shall likewise cover the feminine
gender.

B) All doubts or questions that may arise in the interpretation or

application of this Code shall be resolved in favor of
promoting transparency, accountability and fairness to the
stockholders and investors of the corporation.

Article 3: Board Governance

The Board of Directors (the “Board”) is primarily responsible for the governance
of the corporation. Corollary to setting the policies for the accomplishment of
the corporate objectives, it shall provide an independent check on
Management.

A) Composition of the Board

 The Board shall be composed of at least five (5), but not more than
fifteen (15), members who are elected by the stockholders.
All companies covered by this Code shall have at least two (2)
independent directors or such number of independent directors
that constitutes twenty percent (20%) of the members of the Board,
whichever is lesser, but in no case less than two (2). All other
companies are encouraged to have independent directors in their
boards.

The membership of the Board may be a combination of executive

and non-executive directors (which include independent directors)
in order that no director or small group of directors can dominate
the decision- making process.
The non-executive directors should possess such qualifications
and stature that would enable them to effectively participate in the
deliberations of the Board.

B) Multiple Board Seats

The Board may consider the adoption of guidelines on the number
of directorships that its members can hold in stock and non-stock
corporations. The optimum number should take into consideration
the capacity of a director to diligently and efficiently perform his
duties and responsibilities.

The Chief Executive Officer (“CEO”) and other executive directors

may be covered by a lower indicative limit for membership in other
boards. A similar limit may apply to independent or non-executive
directors who, at the same time, serve as full-time executives in
other corporations. In any case, the capacity of the directors to
diligently and efficiently perform their duties and responsibilities to
the boards they serve should not be compromised.

C) The Chair and Chief Executive Officer

The roles of Chair and CEO should, as much as practicable, be
separate to foster an appropriate balance of power, increased
accountability and better capacity for independent decision-making
 by the Board. A clear delineation of functions should be made
between the Chair and CEO upon their election.

If the positions of Chair and CEO are unified, the proper checks
and balances should be laid down to ensure that the Board gets
the benefit of independent views and perspectives.

The duties and responsibilities of the Chair in relation to the Board

may include, among others, the following:

(i) Ensure that the meetings of the Board are held in

accordance with the by-laws or as the Chair may deem
necessary;
(ii) Supervise the preparation of the agenda of the meeting in
coordination with the Corporate Secretary, taking into
consideration the suggestions of the CEO,
Management and the directors; and
(iii) Maintain qualitative and timely lines of
communication and information between the Board and
Management.

D) Qualifications of Directors
In addition to the qualifications for membership in the Board
provided for in the Corporation Code, Securities Regulation Code
and other relevant laws, the Board may provide for additional
qualifications which include, among others, the following:
(i) College education or equivalent academic degree
(ii) Practical understanding of the business of the
corporation;
(iii) Membership in good standing in relevant industry,
business or professional organizations; and
(iv) Previous business experience.

E) Disqualification of Directors
 1. Permanent Disqualification
The following shall be grounds for the permanent disqualification of
a director:
(i) Any person convicted by final judgment or order by a
competent judicial or administrative body of any crime that (a)
involves the purchase or sale of securities, as defined in the
Securities Regulation Code; (b) arises out of the person’s conduct
as an underwriter, broker, dealer, investment adviser, principal,
distributor, mutual fund dealer, futures commission merchant,
commodity trading advisor, or floor broker; or (c) arises out of his
fiduciary relationship with a bank, quasi-bank, trust company,
investment house or as an affiliated person of any of them;
(ii) Any person who, by reason of misconduct, after hearing, is
permanently enjoined by a final judgment or order of the
Commission or any court or administrative body of competent
jurisdiction from: (a) acting as underwriter, broker, dealer,
investment adviser, principal distributor, mutual fund dealer, futures
commission merchant, commodity trading advisor, or floor broker;
(b) acting as director or officer of a bank, quasi- bank, trust
company, investment house, or investment company; (c) engaging
in or continuing any conduct or practice in any of the capacities
mentioned in sub-paragraphs (a) and (b) above, or willfully
violating the laws that govern securities and banking activities.

The disqualification shall also apply if such person is currently the subject
of an order of the Commission or any court or administrative body denying,
revoking or suspending any registration, license or permit issued to him under
the Corporation Code, Securities Regulation Code or any other law
administered by the Commission or Bangko Sentral ng Pilipinas (BSP), or under
any rule or regulation issued by the Commission or BSP, or has otherwise been
restrained to engage in any activity involving securities and banking; or such
person is currently the subject of an effective order of a self-regulatory
organization suspending or expelling him from membership, participation or
association with a member or participant of the organization;
(iii) Any person convicted by final judgment or order by a court or
competent administrative body of an offense involving moral
turpitude, fraud, embezzlement, theft, estafa, counterfeiting,
misappropriation, forgery, bribery, false affirmation, perjury or other
fraudulent acts;
 (iv) Any person who has been adjudged by final judgment or order
of the Commission, court, or competent administrative body to
have willfully violated, or willfully aided, abetted, counseled,
induced or procured the violation of any provision of the
Corporation Code, Securities Regulation Code or any other law
administered by the Commission or BSP, or any of its rule,
regulation or order;
(v) Any person earlier elected as independent director who
becomes an officer, employee or consultant of the same
corporation;
(vi) Any person judicially declared as insolvent;
(vii) Any person found guilty by final judgment or order of a foreign
court or equivalent financial regulatory authority of acts, violations
or misconduct similar to any of the acts, violations or misconduct
enumerated in sub-paragraphs (i) to (v) above;
(viii) Conviction by final judgment of an offense punishable by
imprisonment for more than six (6) years, or a violation of the
Corporation Code committed within five (5) years prior to the date
of his election or appointment.
2. Temporary Disqualification
The Board may provide for the temporary disqualification of a
director for any of the following reasons:
(i) Refusal to comply with the disclosure requirements of the
Securities Regulation Code and its Implementing Rules and
Regulations. The disqualification shall be in effect as long as the
refusal persists.
(ii) Absence in more than fifty (50) percent of all regular and
special meetings of the Board during his incumbency, or any
twelve (12) month period during the said incumbency, unless the
absence is due to illness, death in the immediate family or serious
accident. The disqualification shall apply for purposes of the
succeeding election.
(iii) Dismissal or termination for cause as director of any
corporation covered by this Code. The disqualification shall be in
effect until he has cleared himself from any involvement in the
cause that gave rise to his dismissal or termination.
(iv) If the beneficial equity ownership of an independent director in
the corporation or its subsidiaries and affiliates exceeds two
 percent of its subscribed capital stock. The disqualification shall be
lifted if the limit is later complied with.
(v) If any of the judgments or orders cited in the grounds for
permanent disqualification has not yet become final.
A temporarily disqualified director shall, within sixty (60) business days from
such disqualification, take the appropriate action to remedy or correct the
disqualification. If he fails or refuses to do so for unjustified reasons, the
disqualification shall become permanent.

F) Responsibilities, Duties and Functions of the Board

1. General Responsibility
- It is the Board’s responsibility to foster the long-term
success of the corporation, and to sustain its
competitiveness and profitability in a manner consistent
with its corporate objectives and the best interests of its
stockholders.
- The Board should formulate the corporation’s vision,
mission, strategic objectives, policies and procedures
that shall guide its activities, including the means to
effectively monitor Management’s performance.

2. Duties and Functions

To ensure a high standard of best practice for the corporation
and its stockholders, the Board should conduct itself with
honesty and integrity in the performance of, among others,
the following duties and functions:
a. Implement a process for the selection of directors who
can add value and contribute independent judgment to
the formulation of sound corporate strategies and
policies. Appoint competent, professional, honest and
highly- motivated management officers. Adopt an
 effective succession planning program for
Management.
b. Provide sound strategic policies and guidelines to the
corporation on major capital expenditures. Establish
programs that can sustain its long-term viability and
strength. Periodically evaluate and monitor the
implementation of such policies and strategies,
including the business plans, operating budgets and
Management’s overall performance.
c. Ensure the corporation’s faithful compliance with all
applicable laws, regulations and best business
practices.
d. Establish and maintain an investor relations program
that will keep the stockholders informed of important
developments in the corporation. If feasible, the
corporation’s CEO or chief financial officer shall
exercise oversight responsibility over this program.
e. Identify the sectors in the community in which the
corporation operates or are directly affected by its
operations, and formulate a clear policy of accurate,
timely and effective communication with them.
f. Adopt a system of check and balance within the Board.
A regular review of the effectiveness of such system
should be conducted to ensure the integrity of the
decision-making and reporting processes at all times.
There should be a continuing review of the
corporation’s internal control system in order to
maintain its adequacy and effectiveness.
g. Identify key risk areas and performance indicators and
monitor these factors with due diligence to enable the
corporation to anticipate and prepare for possible
threats to its operational and financial viability.
h. Formulate and implement policies and procedures that
would ensure the integrity and transparency of related
party transactions between and among the corporation
and its parent company, joint ventures, subsidiaries,
associates, affiliates, major stockholders, officers and
 directors, including their spouses, children and
dependent siblings and parents, and of interlocking
director relationships by members of the Board.
i. Constitute an Audit Committee and such other
committees it deems necessary to assist the Board in
the performance of its duties and responsibilities.
j. Establish and maintain an alternative dispute resolution
system in the corporation that can amicably settle
conflicts or differences between the corporation and its
stockholders, and the corporation and third parties,
including the regulatory authorities.
k. Meet at such times or frequency as may be needed.
The minutes of such meetings should be duly recorded.
Independent views during Board meetings should be
encouraged and given due consideration.
l. Keep the activities and decisions of the Board within its
authority under the articles of incorporation and
by-laws, and in accordance with existing laws, rules
and regulations.
m. Appoint a Compliance Officer who shall have the rank
of at least vice president. In the absence of such
appointment, the Corporate Secretary, preferably a
lawyer, shall act as Compliance Officer.

G) Specific Duties and Responsibilities of a Director

A director’s office is one of trust and confidence. A director should
act in the best interest of the corporation in a manner characterized
by transparency, accountability and fairness. He should also
exercise leadership, prudence and integrity in directing the
corporation towards sustained progress.

A director should observe the following norms of conduct:

(i) Conduct fair business transactions with the corporation,

and ensure that his personal interest does not conflict
with the interests of the corporation.
The basic principle to be observed is that a director should
not use his position to profit or gain some benefit or
advantage for himself and/or his related interests. He should
avoid situations that may compromise his impartiality. If an
actual or potential conflict of interest may arise on the part of
a director, he should fully and immediately disclose it and
should not participate in the

decision-making process. A director who has a continuing

material conflict of interest should seriously consider
resigning from his position.
A conflict of interest shall be considered material if the
director’s personal or business interest is antagonistic to that
of the corporation, or stands to acquire or gain financial
advantage at the expense of the corporation.

(ii) Devote the time and attention necessary to properly and

effectively perform his duties and responsibilities.
A director should devote sufficient time to familiarize himself
with the corporation’s business. He should be constantly
aware of and knowledgeable with the corporation’s
operations to enable him to meaningfully contribute to the
Board’s work. He should attend and actively participate in
Board and committee meetings, review meeting materials
and, if called for, ask questions or seek explanation.

(iii) Act judiciously.

Before deciding on any matter brought before the Board, a
director should carefully evaluate the issues and, if
necessary, make inquiries and request clarification.

(iv) Exercise independent judgment.

A director should view each problem or situation objectively.
If a disagreement with other directors arises, he should
carefully evaluate and explain his position. He should not be
afraid to take an unpopular position. Corollarily, he should
 support plans and ideas that he thinks are beneficial to the
corporation.

(v)Have a working knowledge of the statutory and regulatory

requirements that affect the corporation, including its
articles of incorporation and by-laws, the rules and
regulations of the Commission and, where applicable,
the requirements of relevant regulatory agencies.

A director should also keep abreast with industry

developments and business trends in order to promote
the corporation’s competitiveness.

(vi) Observe confidentiality.

A director should keep secure and confidential all non-public
information he may acquire or learn by reason of his position
as director. He should not reveal confidential information to
unauthorized persons without the authority of the Board.

H) Internal Control Responsibilities of the Board

The control environment of the corporation consists of (a) the
Board which ensures that the corporation is properly and
effectively managed and supervised; (b) a Management that
actively manages and operates the corporation in a sound and
prudent manner; (c) the organizational and procedural controls
supported by effective management information and risk
management reporting systems; and (d) an independent audit
mechanism to monitor the adequacy and effectiveness of the
corporation’s governance, operations, and information systems,
including the reliability and integrity of financial and operational
information, the effectiveness and efficiency of operations, the
safeguarding of assets, and compliance with laws, rules,
regulations and contracts.
 (i) The minimum internal control mechanisms for the
performance of the Board’s oversight responsibility may
include:
a. Definition of the duties and responsibilities of the CEO
who is ultimately accountable for the corporation’s
organizational and operational controls;
b. Selection of the person who possesses the ability,
integrity and expertise essential for the position of
CEO;
c. Evaluation of proposed senior management
appointments;
d. Selection and appointment of qualified and competent
management officers; and
e. Review of the corporation’s human resource policies,
conflict of interest situations, compensation program
for employees, and management succession plan.

(ii) The scope and particulars of the systems of effective

organizational and operational controls may differ
among corporations depending on, among others, the
following factors: nature and complexity of the business
and the business culture; volume, size and complexity
of transactions; degree of risks involved; degree of
centralization and delegation of authority; extent and
effectiveness of information technology; and extent of
regulatory compliance.
(iii) A corporation may establish an internal audit system that
can reasonably assure the Board, Management and
stockholders that its key organizational and operational
controls are faithfully complied with. The Board may
appoint an Internal Auditor to perform the audit
function, and may require him to report to a level in the
organization that allows the internal audit activity to
fulfill its mandate. The Internal Auditor shall be guided
by the International Standards on Professional Practice
of Internal Auditing.

I) Board Meetings and Quorum Requirement

 The members of the Board should attend its regular and special
meetings in person or through teleconferencing conducted in
accordance with the rules and regulations of the Commission.

Independent directors should always attend Board meetings.

Unless otherwise provided in the by-laws, their absence shall not
affect the quorum requirement. However, the Board may, to
promote transparency, require the presence of at least one
independent director in all its meetings.

To monitor the directors’ compliance with the attendance

requirements, corporations shall submit to the Commission, on or
before January 30 of the following year, a sworn certification about
the directors’ record of attendance in Board meetings. The
certification may be submitted through SEC Form 17-C or in a
separate filing.

J) Remuneration of Directors and Officers

The levels of remuneration of the corporation should be sufficient
to be able to attract and retain the services of qualified and
competent directors and officers. A portion of the remuneration of
executive directors may be structured or be based on corporate
and individual performance.

Corporations may establish formal and transparent procedures for

the development of a policy on executive remuneration or
determination of remuneration levels for individual directors and
officers depending on the particular needs of the corporation. No
director should participate in deciding on his remuneration.

The corporation’s annual reports and information and proxy

statements shall include a clear, concise and understandable
disclosure of all fixed and variable compensation that may be paid,
directly or indirectly, to its directors and top four (4) management
officers during the preceding fiscal year.
 To protect the funds of a corporation, the Commission may, in
exceptional cases, e.g., when a corporation is under receivership
or rehabilitation, regulate the payment of the compensation,
allowances, fees and fringe benefits to its directors and officers.

K) Board Committees
The Board shall constitute the proper committees to assist it in
good corporate governance.

(i) The Audit Committee shall consist of at least three (3) directors,
who shall preferably have accounting and finance backgrounds,
one of whom shall be an independent director and another with
audit experience. The chair of the Audit Committee should be an
independent director. The committee shall have the following
functions:
a. Assist the Board in the performance of its oversight
responsibility for the financial reporting process,
system of internal control, audit process, and
monitoring of compliance with applicable laws, rules
and regulations;
b. Provide oversight over Management’s activities in
managing credit, market, liquidity, operational, legal
and other risks of the corporation. This function shall
include regular receipt from Management of
information on risk exposures and risk management
activities;
c. Perform oversight functions over the corporation’s
internal and external auditors. It should ensure that the
internal and external auditors act independently from
each other, and that both auditors are given
unrestricted access to all records, properties and
personnel to enable them to perform their respective
audit functions;
d. Review the annual internal audit plan to ensure its
conformity with the objectives of the corporation. The
plan shall include the audit scope, resources and
budget necessary to implement it;
e. Prior to the commencement of the audit, discuss with
the external auditor the nature, scope and expenses of
the audit, and ensure proper coordination if more than
 one audit firm is involved in the activity to secure
proper coverage and minimize duplication of efforts;
f. Organize an internal audit department, and consider
the appointment of an independent internal auditor and
the terms and conditions of its engagement and
removal;
g. Monitor and evaluate the adequacy and effectiveness
of the corporation’s internal control system, including
financial reporting control and information technology
security;
h. Review the reports submitted by the internal and
external auditors;
i. Review the quarterly, half-year and annual financial
statements before their submission to the Board, with
particular focus on the following matters:
- Any change/s in accounting policies and
practices
- Major judgmental areas
- Significant adjustments resulting from the audit
- Going concern assumptions
- Compliance with accounting standards
- Compliance with tax, legal and
regulatory requirements

j) Coordinate, monitor and facilitate compliance with laws,

rules and regulations;

k) Evaluate and determine the non-audit work, if any,

of the external auditor, and review periodically the
non-audit fees paid to the external auditor in relation
to their significance to the total annual income of the
external auditor and to the corporation’s overall
consultancy expenses. The committee shall disallow
any non-audit work that will conflict with his duties as
an external auditor or may pose a threat to his
independence. The non-audit work, if allowed, should
be disclosed in the corporation’s annual report;

l) Establish and identify the reporting line of the

Internal Auditor to enable him to properly fulfill his
duties and responsibilities. He shall functionally
report directly to the Audit Committee.
 The Audit Committee shall ensure that, in the
performance of the work of the Internal Auditor, he
shall be free from interference by outside parties.

For Philippine branches or subsidiaries of foreign

corporations covered by this Code, their Internal
Auditor should be independent of the Philippine
operations and should report to the regional or
corporate headquarters.

(ii) The Board may also organize the following committees:

a. A Nomination Committee, which may be composed of

at least three (3) members and one of whom should be
an independent director, to review and evaluate the
qualifications of all persons nominated to the Board
and other appointments that require Board approval,
and to assess the effectiveness of the Board’s
processes and procedures in the election or
replacement of directors;
b. A Compensation or Remuneration Committee, which
may be composed of at least three (3) members and
one of whom should be an independent director, to
establish a

formal and transparent procedure for developing a

policy on remuneration of directors and officers to
ensure that their compensation is consistent with the
corporation’s culture, strategy and the business
environment in which it operates.

L. The Corporate Secretary

The Corporate Secretary, who should be a Filipino citizen and a
resident of the Philippines, is an officer of the corporation. He
should
(i) Be responsible for the safekeeping and preservation of
the integrity of the minutes of the meetings of the
 Board and its committees, as well as the other
official records of the corporation;

(ii) Be loyal to the mission, vision and objectives of the

corporation;

(iii) Work fairly and objectively with the Board,

Management and stockholders;
(iv) Have appropriate administrative and interpersonal
skills;
(v) If he is not at the same time the corporation’s legal
counsel, be aware of the laws, rules and
regulations necessary in the performance of his
duties and responsibilities;
(vi) Have a working knowledge of the operations of the
corporation;

(vii) Inform the members of the Board, in accordance with

the by- laws, of the agenda of their meetings and
ensure that the members have before them
accurate information that will enable them to arrive
at intelligent decisions on matters that require their
approval;

(viii) Attend all Board meetings, except when justifiable

causes, such as, illness, death in the immediate
family and serious accidents, prevent him from
doing so;
(ix) Ensure that all Board procedures, rules and regulations
are strictly followed by the members; and

(x) If he is also the Compliance Officer, perform all the

duties and responsibilities of the said officer as
provided for in this Code.

M. The Compliance Officer

 The Board shall appoint a Compliance Officer who shall report
directly to the Chair of the Board. He shall perform the following
duties:
(i) Monitor compliance by the corporation with this Code and the
rules and regulations of regulatory agencies and, if any violations
are found, report the matter to the Board and recommend the
imposition of appropriate disciplinary action on the responsible
parties and the adoption of measures to prevent a repetition of the
violation;
(ii) Appear before the Commission when summoned in relation to
compliance with this Code; and
(iii) Issue a certification every January 30th of the year on the extent
of the corporation’s compliance with this Code for the completed
year and, if there are any deviations, explain the reason for such
deviation.

Article 4: Adequate and Timely Information

To enable the members of the Board to properly fulfill their duties and
responsibilities, Management should provide them with complete,
adequate and timely information about the matters to be taken in their
meetings.

Reliance on information volunteered by Management would not be

sufficient in all circumstances and further inquiries may have to be made
by a member of the Board to enable him to properly perform his duties
and responsibilities. Hence, the members should be given independent
access to Management and the Corporate Secretary.

The information may include the background or explanation on matters

brought before the Board, disclosures, budgets, forecasts and internal
financial documents.

The members, either individually or as a Board, and in furtherance of

their duties and responsibilities, should have access to independent
professional advice at the corporation’s expense.
Article 5: Accountability and Audit
a. The Board is primarily accountable to the stockholders. It
should provide them with a balanced and comprehensible
assessment of the corporation’s performance, position and
prospects on a quarterly basis, including interim and other
reports that could adversely affect its business, as well as
reports to regulators that are required by law.

Thus, it is essential that Management provide all members of

the Board with accurate and timely information that would
enable the Board to comply with its responsibilities to the
stockholders.

Management should formulate, under the supervision of the

Audit Committee, the rules and procedures on financial
reporting and internal control in accordance with the following
guidelines

(i) The extent of its responsibility in the preparation of the

financial statements of the corporation, with the
corresponding delineation of the responsibilities that pertain
to the external auditor, should be clearly explained;

(ii) An effective system of internal control that will ensure the

integrity of the financial reports and protection of the assets
of the corporation should be maintained

(iii) On the basis of the approved audit plans, internal audit

examinations should cover, at the minimum, the evaluation of
the adequacy and effectiveness of controls that cover the
corporation’s governance, operations and information
systems, including the reliability and integrity of financial and
operational information, effectiveness and efficiency of
operations, protection of assets, and compliance with
contracts, laws, rules and regulations;

(iv) The corporation should consistently comply with the

financial reporting requirements of the Commission;
 (v) The external auditor should be rotated or changed every
five (5) years or earlier, or the signing partner of the external
auditing firm assigned to the corporation, should be changed
with the same frequency. The Internal Auditor should submit
to the Audit Committee and Management an annual report
on the internal audit department’s activities, responsibilities
and performance relative to the audit plans and strategies as
approved by the Audit Committee. The annual report should
include significant risk exposures, control issues and such
other matters as may be needed or requested by the Board
and Management. The Internal Auditor should certify that he
conducts his activities in accordance with the International
Standards on the Professional Practice of Internal Auditing. If
he does not, he shall disclose to the Board and Management
the reasons why he has not fully complied with the said
standards.

B) The Board, after consultations with the Audit Committee, shall

recommend to the stockholders an external auditor duly
accredited by the Commission who shall undertake an
independent audit of the corporation, and shall provide an
objective assurance on the manner by which the financial
statements shall be prepared and presented to the
stockholders. The external auditor shall not, at the same
time, provide internal audit services to the corporation.
Non-audit work may be given to the external auditor,
provided it does not conflict with his duties as an
independent auditor, or does not pose a threat to his
independence.

If the external auditor resigns, is dismissed or ceases to perform

his services, the reason/s for and the date of effectivity of such
action shall be reported in the corporation’s annual and current
reports. The report shall include a discussion of any disagreement
between him and the corporation on accounting principles or
practices, financial disclosures or audit procedures which the
former auditor and the corporation failed to resolve satisfactorily. A
preliminary copy of the said report shall be given by the
corporation to the external auditor before its submission.
 If the external auditor believes that any statement made in an
annual report, information statement or any report filed with the
Commission or any regulatory body during the period of his
engagement is incorrect or incomplete, he shall give his comments
or views on the matter in the said reports.

Article 6: Stockholders’ Rights and Protection of Minority Stockholders’

Interests

A) The Board shall respect the rights of the stockholders as

provided for in the Corporation Code, namely:

(i) Right to vote on all matters that require their consent or

approval;

(ii) Pre-emptive right to all stock issuances of the corporation;

(iii) Right to inspect corporate books and records;

(iv) Right to information;

(v) Right to dividends; and
(vi) Appraisal right.

B) The Board should be transparent and fair in the conduct of

the annual and special stockholders’ meetings of the
corporation. The stockholders should be encouraged to
personally attend such meetings. If they cannot attend, they
should be apprised ahead of time of their right to appoint a
proxy. Subject to the requirements of the by- laws, the
exercise of that right shall not be unduly restricted and any
doubt about the validity of a proxy should be resolved in the
stockholder’s favor.

It is the duty of the Board to promote the rights of the stockholders,

remove impediments to the exercise of those rights and provide an
adequate avenue for them to seek timely redress for breach of
their rights.
 The Board should take the appropriate steps to remove excessive
or unnecessary costs and other administrative impediments to the
stockholders’ meaningful participation in meetings, whether in
person or by proxy. Accurate and timely information should be
made available to the stockholders to enable them to make a
sound judgment on all matters brought to their attention for
consideration or approval.

Although all stockholders should be treated equally or without

discrimination, the Board should give minority stockholders the
right to propose the holding of meetings and the items for
discussion in the agenda that relate directly to the business of the
corporation.

Article 7: Governance Self-Rating System

The Board may create an internal self-rating system that can measure
the performance of the Board and Management in accordance with the
criteria provided for in this Code.

The creation and implementation of such self-rating system, including its

salient features, may be disclosed in the corporation’s annual report.

Article 8: Disclosure and Transparency

The essence of corporate governance is transparency. The more

transparent the internal workings of the corporation are, the more difficult
it will be for Management and dominant stockholders to mismanage the
corporation or misappropriate its assets.

It is therefore essential that all material information about the corporation

which could adversely affect its viability or the interests of the
stockholders should be publicly and timely disclosed. Such information
should include, among others, earnings results, acquisition or disposition
of assets, off balance sheet transactions, related party transactions, and
direct and indirect remuneration of members of the Board and
Management. All such information should be disclosed through the
appropriate Exchange mechanisms and submissions to the Commission.
Article 9: Commitment to Good Corporate Governance
All covered corporations shall establish and implement their corporate
governance rules in accordance with this Code. The rules shall be
embodied in a manual that can be used as reference by the members of
the Board and Management. The manual should be submitted to the
Commission for its

evaluation within one hundred eighty (180) business days from the date
this Code becomes effective to enable the Commission to determine its
compliance with this Code taking into consideration the nature, size and
scope of the business of the corporation; provided, however, that
corporations that have earlier submitted their manual may, at their
option, continue to use the said manual as long it complies with the
provisions of this Code.

The manual shall be made available for inspection by any shareholder at

reasonable hours on business days.

Article 10: Regular Review of the Code and the Scorecard

To monitor the compliance by covered corporations with this Code, the

Commission may require them to accomplish annually a scorecard on
the scope, nature and extent of the actions they have taken to meet the
objectives of this Code.

The Commission shall periodically review this Code to ensure that it

meets its objectives.

Article 11: Administrative Sanctions

A fine of not more than Two Hundred Thousand Pesos (P200,000) shall,
after due notice and hearing, be imposed for every year that a covered
corporation violates the provisions of this Code, without prejudice to
other sanctions that the Commission may be authorized to impose under
the law; provided, however, that any violation of the Securities
Regulation Code punishable by a specific penalty shall be assessed
separately and shall not be covered by the abovementioned fine.
Article 12: Effective Date

This Memorandum Circular shall take effect on July 15, 2009.

Signed this 22nd day of June 2009 at Mandaluyong City,

Philippines.

For the Commission:

Fe B. Barin Chairperson
 Roles and Responsibilities of Board of Directors

● On February 20,2019, Philippine President Rodrigo DUterte signed into law Republic Act
(RA) No. 11232 or the Revised Corporation Code of the Philippines (Revised Code). The
Revised Code expressly repels Batas Pambansa Blg. 68 or the Corporation Code of the
Philippines, and aims to improve the ease of doing business in the country.
● The Revised Code took effect on 23 February 2019.

Board of Directors or BOD

● In relation to a company means the collective body or elected or appointed members

(editors) who jointly oversee the activities of the company or organization.
● Every company shall have a board of directors consisting of individuals as directors and
shall have:
● The articles of incorporation of a close corporation may provide that the business of the
corporation shall be managed by the stockholders of the corporation rather than by a
board of directors.
● Board of Trustees - Trustees of education institutions organized as non stock
corporations shall not be less than five (5) nor more than fifteen (15): Provided, that the
number of trustees shall be in multiple of five (5).
● Single Stockholder as Director, President - The single stockholder shall be the sole
director and president of the One Person Corporation.
● In law there is no real distinction between the different categories of directors. Thus, for
purposes of the Act, all directors are required to comply with the relevant provisions, and
meet the required standard of conduct when performing their functions and duties.
● The classification of directors becomes particularly important when determining the
appropriate membership of specialist board committees, and when making disclosures
of the directors’ remuneration in the company’s annual report.

Types of Directors: Private limited company

● A private limited company is a separate legal entity. The director acts on behalf of it and
fulfills the managerial duties. Along with that, he takes decisions for the company and
keeps it compliant.
● In a limited company, the liability of members or subscribers of the company is limited to
what they have invested or guaranteed to the company.

Types of Directors
1. Executive Director
● He/she is the full-time working director of the company. They have a higher
responsibility towards the organization. The company and its employees expect
them to be efficient and careful in all the dealings.
● Through his or her privileged position, has an intimate knowledge of the workings
 of the company. There can, therefore, be an imbalance in the amount and quality
of information regarding the company’s affairs possessed by executive and
non-executive directors.
● He carries an added responsibility. They are entrusted with ensuring that the
information laid before the board by management is an accurate reflection of their
understanding of the affairs of the company.
● Executive directors need to strike a balance between their management of the
company, and their fiduciary duties and concomitant independent state of mind
required when serving on the board. The executive director needs to ask himself
“Is this right for the company?”, and not “Is this right for the management of the
company?”

2. Independent Director
● Is a non-executive director who:
○ is not a representative of a shareholder who has the ability to control or
significantly influence management or the board
○ does not have a direct or indirect interest in the company (including any
parent or subsidiary in a consolidated group with the company) which
exceeds 5% of the group’s total number of shares in issue
○ does not have a direct or indirect interest in the company which is less
than 5% of the group’s total number of shares in issue, but is material to
his or her personal wealth
○ has not been employed by the company or the group of which it currently
forms part in any executive capacity, or appointed as the designated
auditor or partner in the group’s external audit firm, or senior legal adviser
for the preceding three financial years
○ is not a member of the immediate family of an individual who is, or has
during the preceding three financial years, been employed by the
company or the group in an executive capacity
○ is not a professional adviser to the company or the group, other than as a
director
○ is free from any business or other relationship (contractual or statutory)
which could be seen by an objective outsider to interfere materially with
the individual’s capacity to act in an independent manner, such as being a
director of a material
● Customer of or supplier to the company, or
○ does not receive remuneration contingent upon the performance of the
company.
● Non-executive directors are independent of management on all issues including
strategy, performance, sustainability, resources, transformation, diversity,
employment equity, standards of conduct and evaluation of performance.
● The non-executive directors should meet from time to time without the executive
directors to consider the performance and actions of executive management.
 3. The managing director
● This director is appointed by the rest of the directors and is solely responsible for
daily company operations. He or she is typically known as Chief Executive
Officer and is an executive director.
● Since the directors do not earn a salary from the organization they may not be
available for daily operations. Therefore, they appoint a director to ensure that
the organization runs smoothly in their absence.

4. De facto director
● A de facto director has not been formally appointed as a director but acts in place
of a director. He or she has similar responsibilities and liabilities as an official
director.

5. Shadow director
● A shadow director is similar to a de facto director in that he or she does not have
an official title. However, he or she has some influence on the decisions of the
board of directors.
● Acting in the capacity of de facto or shadow director means this person is
expected to uphold the obligations of the Corporations Act.

6. Lead Independent Director

● As a result of his or her senior status, has the authority to facilitate any issues
that may arise between executive and non-executive directors of the board.
● Such a function is noted as being especially relevant where the chairperson is an
executive director.

CG framework should ensure

● strategic guidance of the company
● effective monitoring of management by the Board
● board’s accountability to the company and the shareholders
● overseeing the overall control environment of the corporation
● monitoring management performance and accountability to all its shareholders
● acts for on behalf of the company as a whole. It promotes and secures its long-term
strength and sustainability.

BODs Fiduciary Duty: Care and Loyalty

● The duty of care requires the exercise of prudent judgment by the board members. In
this regard, directors are expected to make decisions for the benefit of the entire
company, taking into account shareholders’ long-term interests as well as the rights of
all other stakeholders.
● The duty of loyalty relates to the duty of directors to put the interest of the company and
all its shareholders above his or her own. It is emphasized that the duty of the director is
to the entire company and not only to controlling or minority shareholders.65 Hence, in
 deciding matters that may affect different shareholder groups, they are duty-bound to
treat all shareholders fairly.
Roles and Responsibility of the Board

● General Responsibility
● It is the Board’s responsibility to foster the long-term success of the corporation, and to
sustain its competitiveness and profitability in a manner consistent with its corporate
objectives and the best interests of its stockholders.
● The Board should formulate the corporation’s vision, mission, strategic objectives,
policies and procedures that shall guide its activities, including the means to effectively
monitor Management’s performance.

Duties and Functions

● To ensure a high standard of best practice for the corporation and its stockholders, the
Board should conduct itself with honesty and integrity in the performance of, among
others, the following duties and functions:
a. Implement a process for the selection of directors who can add value and
contribute independent judgment to the formulation of sound corporate
strategies and policies. Appoint competent, professional, honest and highly
motivated management officers. Adopt an effective succession planning
program for Management.
b. Provide sound strategic policies and guidelines to the corporation on major
capital expenditures. Establish programs that can sustain its long-term viability
and strength. Periodically evaluate and monitor the implementation of such
policies and strategies, including the business plans, operating budgets and
Management’s overall performance.
c. Ensure the corporation’s faithful compliance with all applicable laws, regulations
and best business practices.
d. Establish and maintain an investor relations program that will keep the
stockholders informed of important developments in the corporation. If feasible,
the corporation’s CEO or chief financial officer shall exercise oversight
responsibility over this program.
e. Identify the sectors in the community in which the corporation operates or are
directly affected by its operations, and formulate a clear policy of accurate,
timely and effective communication with them.
f. Adopt a system of check and balance within the Board. A regular review of the
effectiveness of such a system should be conducted to ensure the integrity of
the decision-making and reporting processes at all times. There should be a
continuing review of the corporation’s internal control system in order to maintain
its adequacy and effectiveness
g. Identify key risk areas and performance indicators and monitor these factors with
due diligence to enable the corporation to anticipate and prepare for possible
threats to its operational and financial viability.
h. Formulate and implement policies and procedures that would ensure the
integrity and transparency of related party transactions between and among the
corporation and its parent company, joint ventures, subsidiaries, associates, 8
affiliates, major stockholders, officers and directors, including their spouses,
children and dependent siblings and parents, and of interlocking director
relationships by members of the Board.
i. Constitute an Audit Committee and such other committees it deems necessary
 to assist the Board in the performance of its duties and responsibilities.
j. Establish and maintain an alternative dispute resolution system in the
corporation that can amicably settle conflicts or differences between the
corporation and its stockholders, and the corporation and third parties, including
the regulatory authorities.
k. Meet at such times or frequency as may be needed. The minutes of such
meetings should be duly recorded. Independent views during Board meetings
should be encouraged and given due consideration.
l. Keep the activities and decisions of the Board within its authority under the
articles of incorporation and by-laws, and in accordance with existing laws, rules
and regulations.
m. Appoint a Compliance Officer who shall have the rank of at least vice president.
In the absence of such appointment, the Corporate Secretary, preferably a
lawyer, shall act as Compliance Officer.

Specific Duties and Responsibilities of a Director

● A director’s office is one of trust and confidence.

● A director should act in the best interest of the corporation in a manner characterized by
transparency, accountability and fairness. He should also exercise leadership, prudence
and integrity in directing the corporation towards sustained progress. A director should
observe the following norms of conduct:
a. Conduct fair business transactions with the corporation, and ensure that his
personal interest does not conflict with the interests of the corporation. The basic
principle to be observed is that a director should not use his position to profit or
gain some benefit or advantage for himself and/or his related interests. He
should avoid situations that may compromise his impartiality. If an actual or
potential conflict of interest may arise on the part of a director, he should fully
and immediately disclose it and should not participate in the decision-making
process. A director who has a continuing material conflict of interest should
seriously consider resigning from his position. A conflict of interest shall be
considered material if the director’s personal or business interest is antagonistic
to that of the corporation, or stands to acquire or gain financial advantage at the
expense of the corporation.
b. Devote the time and attention necessary to properly and effectively perform his
duties and responsibilities. A director should devote sufficient time to familiarize
himself with the corporation’s business. He should be constantly aware of and
knowledgeable with the corporation’s operations to enable him to meaningfully
contribute to the Board’s work. He should attend and actively participate in
Board and committee meetings, review meeting materials and, if called for, ask
questions or seek explanation
c. Act judiciously. Before deciding on any matter brought before the Board, a
director should carefully evaluate the issues and, if necessary, make inquiries
and request clarification.
d. Exercise independent judgment. A director should view each problem or
situation objectively. If a disagreement with other directors arises, he should
carefully evaluate and explain his position. He should not be afraid to take an
unpopular position. Corollarily, he should support plans and ideas that he thinks
are beneficial to the corporation.
 e. Have a working knowledge of the statutory and regulatory requirements that
affect the corporation, including its articles of incorporation and by-laws, the
rules and regulations of the Commission and, where applicable, the
requirements of relevant regulatory agencies. A director should also keep
abreast with industry developments and business trends in order to promote the
corporation’s competitiveness.
f. Observe confidentiality. A director should keep secure and confidential all
non-public information he may acquire or learn by reason of his position as
director. He should not reveal confidential information to unauthorized persons
without the authority of the Board.

Internal Control Responsibilities of the Board

● The control environment of the corporation consists of

a. the Board which ensures that the corporation is properly and effectively
managed and supervised;
b. a Management that actively manages and operates the corporation in a sound
and prudent manner;
c. the organizational and procedural controls supported by effective management
information and risk management reporting systems; and
d. an independent audit mechanism to monitor the adequacy and effectiveness of
the corporation’s governance, operations, and information systems, including the
reliability and integrity of financial and operational information, the effectiveness
and efficiency of operations, the safeguarding of assets, and compliance with
laws, rules, regulations and contracts.

(i) The minimum internal control mechanisms for the performance of the Board’s
oversight responsibility may include:

a. Definition of the duties and responsibilities of the CEO who is ultimately

accountable for the corporation’s organizational and operational controls;
b. Selection of the person who possesses the ability, integrity and expertise
essential for the position of CEO;
c. Evaluation of proposed senior management appointments;
d. Selection and appointment of qualified and competent management officers; and
e. Review of the corporation’s human resource policies, conflict of interest
situations, compensation program for employees, and management succession
plan.

(ii) The scope and particulars of the systems of effective organizational and operational
controls may differ among corporations depending on, among others, the following
factors: nature and complexity of the business and the business culture; volume, size
and complexity of transactions; degree of risks involved; degree of centralization and
delegation of authority; extent and effectiveness of information technology; and extent of
regulatory compliance.

(iii) A corporation may establish an internal audit system that can reasonably assure the
Board, Management and stockholders that its key organizational and operational
controls are faithfully complied with. The Board may appoint an Internal Auditor to
perform the audit function, and may require him to report to a level in the organization
that allows the internal audit activity to fulfill its mandate. The Internal Auditor shall be
 guided by the International Standards on Professional Practice of Internal Auditing.

Board Meetings and Quorum Requirement

● The members of the Board should attend its regular and special meetings in person or
through teleconferencing conducted in accordance with the rules and regulations of the
Commission.
● Independent directors should always attend Board meetings. Unless otherwise provided
in the by-laws, their absence shall not affect the quorum requirement. However, the
Board may, to promote transparency, require the presence of at least one independent
director in all its meetings.
● To monitor the directors’ compliance with the attendance requirements, corporations
shall submit to the Commission, on or before January 30 of the following year, a sworn
certification about the directors’ record of attendance in Board meetings. The
certification may be submitted through SEC Form 17-C or in a separate filling.
● •development of a policy on executive remuneration or determination of remuneration
levels for individual directors and officers depending on the particular needs of the
corporation. No director should participate in deciding on his remuneration.
● The corporation’s annual reports and information and proxy statements shall include a
clear, concise and understandable disclosure of all fixed and variable compensation that
may be paid, directly or indirectly, to its directors and top four (4) management officers
during the preceding fiscal year.
● To protect the funds of a corporation, the Commission may, in exceptional cases, e.g.,
when a corporation is under receivership or rehabilitation, regulate the payment of the
compensation, allowances, fees and fringe benefits to its directors and officers.

Succession Planning

● Overseeing Succession Planning of Key Officers and Management

○ ensure the longevity of the corporation and its long-term interests, as well as
that of its shareholders.
○ ensure the transfer of company leadership to highly competent and qualified
candidates.
○ to make sure that the company is prepared to select, compensate and when
necessary, replace its Chief Executive Officer (CEO) and key officers, with
minimal disruption of the company’s operations.
○ implementing a process of selection of competent, professional, honest and
highly motivated management officers who can add value and contribute
independent judgment to the formulation of sound corporate strategies and
policies.

Aligning Key Officers and Board Remuneration with Long-Term Interest of the Company

● provides that the levels of remuneration of the corporation should be sufficient to be

able to attract and retain the services of qualified and competent directors and officers.
 ● However, remuneration policies should not encourage excessive risk taking and should
be aligned with the long-term interest of the company.
● Hence, a balance must be struck between reasonable remuneration and the interest of
the company and its shareholders

Section 30 of the Corporation Code

● provides that compensation other than per diems granted to directors may be granted
by the vote of stockholders representing at least a majority of the outstanding capital
stock at a regular or special meeting.
● Key considerations in determining the same include the following: that the level of
remuneration is commensurate to the responsibilities of the role and that no director
should participate in deciding on his or her remuneration.

Department of Finance (DOF) Order No. 054-201570

● fixed remuneration shall ideally be given to Independent Directors (IDs) of insurance

and public companies at the level sufficient to attract and retain the quality of directors
to run the company successfully.
● Entitlement to such fixed amount should ideally be based on the results of an
independent ratings mechanism, established for purposes of evaluating the
performance of IDs. Stock options and performance benefits of any kind are ideally not
included in the remuneration package of IDs.
● The full disclosure of company’s remuneration policy for its key officers and directors

Formal and Transparent Board Nomination and Election Process

● A formal and transparent Board nomination and election process is necessary for all
corporations to ensure that there is proper composition of the Board that would address
the demands and needs of the company.
● The establishment of a transparent procedure is generally the responsibility of a
Nomination Committee or Sub-Committee, who should review and evaluate the
qualifications of all persons nominated to the Board and other appointments that require
Board approval, and assess the effectiveness of the Board’s processes and procedures
in the election or replacement of a director

Board Committees

● The Audit Committee shall consist of at least three (3) directors,

○ who shall preferably have accounting and finance backgrounds,
○ one of whom shall be an independent director and another with audit
experience.
○ The chair of the Audit Committee should be an independent director
● The committee shall have the following functions:
a. Assist the Board in the performance of its oversight responsibility for the
 financial reporting process, system of internal control, audit process, and
monitoring of compliance with applicable laws, rules and regulations;
b. Provide oversight over Management’s activities in managing credit, market,
liquidity, operational, legal and other risks of the corporation. This function shall
include regular receipt from Management of information on risk exposures and
risk management activities;
c. Perform oversight functions over the corporation’s internal and external auditors.
It should ensure that the internal and external auditors act independently from
each other, and that both auditors are given unrestricted access to all records,
properties and personnel to enable them to perform their respective audit
functions;
d. Review the annual internal audit plan to ensure its conformity with the objectives
of the corporation. The plan shall include the audit scope, resources and budget
necessary to implement it;
e. Prior to the commencement of the audit, discuss with the external auditor the
nature, scope and expenses of the audit, and ensure proper coordination if more
than one audit firm is involved in the activity to secure proper coverage and
minimize duplication of efforts;
f. Organize an internal audit department, and consider the appointment of an
independent internal auditor and the terms and conditions of its engagement
and removal;
g. Monitor and evaluate the adequacy and effectiveness of the corporation’s
internal control system, including financial reporting control and information
technology security;
h. Review the reports submitted by the internal and external auditors;
i. Review the quarterly, half-year and annual financial statements before their
submission to the Board, with particular focus on the following matters:
● Any change/s in accounting policies and practices
● Major judgmental areas
● Significant adjustments resulting from the audit
● Going concern assumptions
● Compliance with accounting standards
● Compliance with tax, legal and regulatory requirements
j. Coordinate, monitor and facilitate compliance with laws, rules and regulations;
k. Evaluate and determine the non-audit work, if any, of the external auditor, and
review periodically the non-audit fees paid to the external auditor in relation to
their significance to the total annual income of the external auditor and to the
corporation’s overall consultancy expenses.

The committee shall disallow any non-audit work that will conflict with his duties as an external
auditor or may pose a threat to his independence. The non-audit work, if allowed, should be
disclosed in the corporation’s annual report;

l. Establish and identify the reporting line of the Internal Auditor to enable him to
properly fulfill his duties and responsibilities. He shall functionally report directly
to the Audit Committee. The Audit Committee shall ensure that, in the
performance of the work of the Internal Auditor, he shall be free from
interference by outside parties. For Philippine branches or subsidiaries of foreign
corporations covered by this Code, their Internal Auditor should be independent
of the Philippine operations and should report to the regional or corporate
headquarters.
 (ii) The Board may also organize the following committees:

a. A Nomination Committee, which may be composed of at least three (3)

members and one of whom should be an independent director, to review and
evaluate the qualifications of all persons nominated to the Board and other
appointments that require Board approval, and to assess the effectiveness of the
Board’s processes and procedures in the election or replacement of directors;
b. A Compensation or Remuneration Committee, which may be composed of at
least three (3) members and one of whom should be an independent director, to
establish a formal and transparent procedure for developing a policy on
remuneration of directors and officers to ensure that their compensation is
consistent with the corporation’s culture, strategy and the business environment
in which it operates.

The Corporate Secretary

● The Corporate Secretary, who should be a Filipino citizen and a resident of the
Philippines, is an officer of the corporation. He should -
○ (i) Be responsible for the safekeeping and preservation of the integrity of the
minutes of the meetings of the Board and its committees, as well as the other
official records of the corporation;
○ (ii) Be loyal to the mission, vision and objectives of the corporation;
○ (iii) Work fairly and objectively with the Board, Management and stockholders;
○ (iv) Have appropriate administrative and interpersonal skills;
○ (v) If he is not at the same time the corporation’s legal counsel, be aware of the
laws, rules and regulations necessary in the performance of his duties and
responsibilities;
○ (vi) Have a working knowledge of the operations of the corporation;
○ (vii) Inform the members of the Board, in accordance with the bylaws, of the
agenda of their meetings and ensure that the members have before them
accurate information that will enable them to arrive at intelligent decisions on
matters that require their approval;
○ (viii) Attend all Board meetings, except when justifiable causes, such as, illness,
death in the immediate family and serious accidents, prevent him from doing so;
○ (ix) Ensure that all Board procedures, rules and regulations are strictly followed
by the members; and
○ (x) If he is also the Compliance Officer, perform all the duties and responsibilities
of the said officer as provided for in this Code

The Compliance Officer

● The Board shall appoint a Compliance Officer who shall report directly to the Chair of
the Board. He shall perform the following duties:
○ (i) Monitor compliance by the corporation with this Code and the rules and
regulations of regulatory agencies and, if any violations are found, report the
matter to the Board and recommend the imposition of appropriate disciplinary
action on the responsible parties and the adoption of measures to prevent a
repetition of the violation;
 ○ (ii) Appear before the Commission when summoned in relation to compliance
with this Code; and
○ (iii) Issue a certification every January 30th of the year on the extent of the
corporation’s compliance with this Code for the completed year and, if there are
any deviations, explain the reason for such deviation.

Article 4: Adequate and Timely Information

● To enable the members of the Board to properly fulfill their duties and responsibilities,
Management should provide them with complete, adequate and timely information
about the matters to be taken in their meetings.
● Reliance on information volunteered by Management would not be sufficient in all
circumstances and further inquiries may have to be made by a member of the Board to
enable him to properly perform his duties and responsibilities.
● Hence, the members should be given independent access to Management and the
Corporate Secretary.
● The information may include the background or explanation on matters brought before
the Board, disclosures, budgets, forecasts and internal financial documents.
● The members, either individually or as a Board, and in furtherance of their duties and
responsibilities, should have access to independent professional advice at the
corporation’s expense.

Article 5: Accountability and Audit

a. The Board is primarily accountable to the stockholders. It should provide them with a
balanced and comprehensible assessment of the corporation’s performance, position
and prospects on a quarterly basis, including interim and other reports that could
adversely affect its business, as well as reports to regulators that are required by law.
Thus, it is essential that Management provide all members of the Board with accurate
and timely information that would enable the Board to comply with its responsibilities to
the stockholders. Management should formulate, under the supervision of the Audit
Committee, the rules and procedures on financial reporting and internal control in
accordance with the following guidelines:
○ (i) The extent of its responsibility in the preparation of the financial
statements of the corporation, with the corresponding delineation of the
responsibilities that pertain to the external auditor, should be clearly
explained;
○ (ii) An effective system of internal control that will ensure the integrity of
the financial reports and protection of the assets of the corporation
should be maintained;
○ (iii) On the basis of the approved audit plans, internal audit examinations
should cover, at the minimum, the evaluation of the adequacy and
effectiveness of controls that cover the corporation’s governance,
operations and information systems, including the reliability and integrity
of financial and operational information, effectiveness and efficiency of
operations, protection of assets, and compliance with contracts, laws,
rules and regulations;
○ (iv) The corporation should consistently comply with the financial
reporting requirements of the Commission;
○ (v) The external auditor should be rotated or changed every five (5) years
 or earlier, or the signing partner of the external auditing firm assigned to
the corporation, should be changed with the same frequency. The
Internal Auditor should submit to the Audit Committee and Management
an annual report on the internal audit department’s activities,
responsibilities and performance relative to the audit plans and strategies
as approved by the

Audit Committee

● The annual report should include significant risk exposures, control issues and such
other matters as may be needed or requested by the Board and Management. The

Internal Auditor

● Should certify that he conducts his activities in accordance with the International
Standards on the Professional

Practice of Internal Auditing

● If he does not, he shall disclose to the Board and Management the reasons why he has
not fully complied with the said standards.

b. The Board, after consultations with the Audit Committee, shall recommend to the
stockholders an external auditor duly accredited by the Commission who shall
undertake an independent audit of the corporation, and shall provide an objective
assurance on the manner 17 by which the financial statements shall be prepared and
presented to the stockholders. The external auditor shall not, at the same time, provide
internal audit services to the corporation. Non-audit work may be given to the external
auditor, provided it does not conflict with his duties as an independent auditor, or does
not pose a threat to his independence.
● If the external auditor resigns, is dismissed or ceases to perform his services,
the reason/s for and the date of effectivity of such action shall be reported in the
corporation’s annual and current reports. The report shall include a discussion of
any disagreement between him and the corporation on accounting principles or
practices, financial disclosures or audit procedures which the former auditor and
the corporation failed to resolve satisfactorily. A preliminary copy of the said
report shall be given by the corporation to the external auditor before its
submission.
● If the external auditor believes that any statement made in an annual report,
information statement or any report filed with the Commission or any regulatory
body during the period of his engagement is incorrect or incomplete, he shall
give his comments or views on the matter in the said reports.
Stockholders’ Rights and Protection of Minority Stockholders’ Interests

a. The Board shall respect the rights of the stockholders as provided for in the Corporation
Code, namely:
○ (i) Right to vote on all matters that require their consent or approval;
○ (ii) Pre-emptive right to all stock issuances of the corporation;
○ (iii) Right to inspect corporate books and records;
○ (iv) Right to information;
○ (v) Right to dividends; and
○ (vi) Appraisal right.
b. The Board should be transparent and fair in the conduct of the annual and special
stockholders’ meetings of the corporation. The stockholders should be encouraged to
personally attend such meetings. If they cannot attend, they should be apprised ahead
of time of their right to appoint a proxy. Subject to the requirements of the bylaws, the
exercise of that right shall not be unduly restricted and any doubt about the validity of a
proxy should be resolved in the stockholder’s favor. It is the duty of the Board to
promote the rights of the stockholders, remove impediments to the exercise of those
rights and provide an adequate avenue for them to seek timely redress for breach of
their rights.

● The Board should take the appropriate steps to remove excessive or unnecessary
costs and other administrative impediments to the stockholders’ meaningful
participation in meetings, whether in person or by proxy. Accurate and timely
information should be made available to the stockholders to enable them to make a
sound judgment on all matters brought to their attention for consideration or approval.
Although all stockholders should be treated equally or without discrimination, the Board
should give minority stockholders the right to propose the holding of meetings and the
items for discussion in the agenda that relate directly to the business of the corporation

Article 7: Governance Self-Rating System

● The Board may create an internal self-rating system that can measure the performance
of the Board and Management in accordance with the criteria provided for in this Code.
● The creation and implementation of such self-rating system, including its salient
features, may be disclosed in the corporation’s annual report.

Article 8: Disclosure and Transparency

● The essence of corporate governance is transparency. The more transparent the

internal workings of the corporation are, the more difficult it will be for Management and
dominant stockholders to mismanage the corporation or misappropriate its assets. It is
therefore essential that all material information about the corporation which could
adversely affect its viability or the interests of the stockholders should be publicly and
timely disclosed. Such information should include, among others, earnings results,
acquisition or disposition of assets, off balance sheet transactions, related party
transactions, and direct and indirect remuneration of members of the Board and
Management. All such information should be disclosed through the appropriate
 Exchange mechanisms and submissions to the Commission.

Article 9: Commitment to Good Corporate Governance

● All covered corporations shall establish and implement their corporate governance rules
in accordance with this Code. The rules shall be embodied in a manual that can be
used as reference by the members of the Board and Management. The manual should
be submitted to the Commission for its evaluation within one hundred eighty (180)
business days from the date this Code becomes effective to enable the Commission to
determine its compliance with this Code taking into consideration the nature, size and
scope of the business of the corporation; provided, however, that corporations that have
earlier submitted their manual may, at their option, continue to use the said manual as
long it complies with the provisions of this Code. The manual shall be made available
for inspection by any shareholder at reasonable hours on business days.

Article 10: Regular Review of the Code and the Scorecard

● To monitor the compliance by covered corporations with this Code, the Commission
may require them to accomplish annually a scorecard on the scope, nature and extent
of the actions they have taken to meet the objectives of this Code.
● The Commission shall periodically review this Code to ensure that it meets its
objectives.

Article 11: Administrative Sanctions

● A fine of not more than Two Hundred Thousand Pesos (P200,000) shall, after due
notice and hearing, be imposed for every year that a covered corporation violates the
provisions of this Code, without prejudice to other sanctions that the Commission may
be authorized to impose under the law; provided, however, that any violation of the
Securities Regulation Code punishable by a specific penalty shall be assessed
separately and shall not be covered by the abovementioned fine.

Article 12: Effective Date

● This Memorandum Circular shall take effect on July 15, 2009. Signed this 22nd day of
June 2009 at Mandaluyong City, Philippines.
 Business Ethics
Business Ethics Part.1

Business Ethics
- Standards of moral conduct, behavior and judgment in business
- It involves making the moral and right decision while engaging in such business
activities as manufacturing and selling a product and providing a service to customers
- Is an area of corporate responsibility where businesses are legally bound and socially
obligated to conduct business in an ethical manner

Purposes of Business Ethics / Importance of Ethics in Business

1. In general, businesses have power and influence in society, therefore their ethical or
unethical actions affect a lot of people. THEREFORE the right thing must be done.
2. Business ethics provides us with the tools to determine whether or not we should do a
certain action and the extent to which a past action should have been done.
3. Cost to the organization: deteriorating relationships, damage to reputation and
reduction of employee productivity and loyalty as a results of unethical practices cost
companies.

Code of Ethics
- A set of rules and principles designed to encourage ethical conduct among a group of
professionals.

Economic impact
- wages it pays to employees
- materials that it buys from their suppliers
- prices charges its customers
Social Responsibility
- The principle that, in addition to pursuing profit generation, corporations should strive to
act in a way that positively affects society and the world.
- Offer bribes to secure works or benefits
- Accounting fraud
- Breach regulatory and legal limitations on their operations

Ways to Embrace Environmental Responsibility

- Use energy more efficient
- Reduce waste
- Plant trees
- Decrease pollution
 - Recycled materials

Impact on Business Managers

- Acknowledge that his role is to serve the business enterprise and the community
- Avoid abuse of executive power
- Avoid conflict of interest
- Lead by example
- Recognize that his subordinates have a right to information on matters affecting them
- Evaluate the effect on employees and community of the future business plans before
taking a final decision
- Cooperate with his colleagues and not attempt to secure personal advantage at their
expense

Common unethical practices of business establishments

Two most common types
1. Misrepresentation
Direct Misrepresentation - actively misrepresenting about the product or customers
Indirect misrepresentation - omitting adverse or unfavorable information about the
product or service
2. Over-Persuasion - process of appealing to the emotions of a prospective customer and
urging him to buy an item of merchandise he needs.

Misbranding and mislabeling - making false statement on the label and making its container
similar to a well-known product
False or misleading advertising
- Pictures or statements that convey exaggerated impression
- Claim is the “fastest selling brand” or “product of the year”
- Fictitious or obsolete testimonials
Adulteration
- Debasing a pure or genuine commodity by imitating or counterfeiting it.
- Adding something to increase its bulk or volume
- Substituting an inferior product for a superior one

Business Ethics Part. 2

Ethical Dilemma
- Is a situation a person faces in which a decision must be made about the appropriate
behavior.
Resolving Ethical Dilemmas
1. Obtain the relevant facts
2. Identify the ethical issues from the facts
3. Determine who is affected by the outcome of the dilemma and how each person or
group is affected
4. Identify the alternatives available to the person who must resolve the dilemma
5. Identify the likely consequences of each alternative
6. Decide the appropriate action

Advocacy Against Corruption

Corruption is receiving, asking for, or giving any gratification to induce a person to do a favor
for private gain. This act covers not only public corruption involving misuse of public power by
elected politicians or appointed civil servants but also private corruption between individuals
and business.

Business Ethics Part. 3 - Advocacy against Corruption

Corruption
1. Is the abuse to private and public office for personal gain
2. Receiving, asking for or giving any gratification to induce a person to do a favor for
private gain
3. Is the misuse of entrusted power
4. Is an improbity or decay in the decision-making process in which a decision-maker
consents to deviate or demands deviation from the criterion which should rule his or her
decision-making, in exchange for a reward or for the promise or expectation of a
reward, while these motives influencing his or her decision-making cannot be part of the
justification of the decision. - Dr. Petrus Van Duyne
5. Is a form of dishonesty or criminal activity undertaken by a person an organization
entrusted with a position of authority, often to acquire illicit benefit.

Examples

1.Company paying a bribe to win the public contract to build the local highway, despite
proposing a sub-standard offer.
2.A politician redirecting investments to his hometown rather than to the region most in need
3.Public official embezzling funds for school renovation to build his private villa
4.A private company manager recruiting an ill-suited friend for a high level position
5.Local officials demanding bribes from ordinary citizens to get access to a new water pipe
6.A salesman bribing the purchasing manager of a company to give preferences to his
products

Why and how does a person become corrupt?

● Career advancement
● Earning of more income
● Financial problems caused by illness, loss of property

Effects of Corruption

1. Add to 10% of the total costs of doing business in any part of the world, and up to 25%
of the cost of procurement in developing countries.
2. Leads to waste or the inefficient use of public resources
a. Philippines from 1960 to 2016, average P550 billion is lost yearly to crime,
corruption and tax evasion
3. Corrodes public trust, undermines the rule of law, and ultimately delegitimizes the state
4. Breakdown in social order
5. Creates Unfair competition
6. Corruption in developing and undeveloped countries are still critical nowadays

Characteristics of Corruption

a. Recipients and payers

b. Extortion – gifts being made reciprocally
c. Lubricant of society – ensure smoother operation
d. Ethical dilemma – wrongdoing and personal reform
e. Poverty alleviation – extra income
f. Culture – giving gifts as a sign of gratitude or presence
g. Kindness among friends – expected return in the future

The Philippines Corruption Report

● Judicial System
○ One recent case, a businessman filed an administrative complaint in the
country’s Supreme Court against Makati judge for allegedly asking for a
P15million bribe in exchange for a favorable ruling in an insurance claim.
● Police
○ Police commissioner Mr. Sombero, is under investigation for allegedly facilitating
a P50 million bribe from gambling tycoon Jack Lam who tried to bribe
immigration authorities in order to release approximately 1300 chinese nationals
who were working in his resorts illegally.
● Public services
○ The total number of procedures required to set-up operations, including
registering the company and getting permit
● Land administration
- The court system is slow to resolve land disputes.
- Insufficient confidence in the protection of property rights
● Tax administration
○ A case in Bacolod city, an officer with the BIR was caught extorting P125,000
from a local company. Business rate the BIR’s commitment to fighting corruption
as poor.
 ● Customs administration
○ Indicated that smuggling of goods, among which cigarettes, vehicles, and oil,
into the Philippines had led to the evasion of taxed worth at least USD 1 billion
yearly. Under-invoicing when importing and exporting , alleged employees
accepted as much as USD 4 million in bribes monthly
•Public procurement – under the table bribery to get government projects, pork barrel system,
diversion of public funds
•Natural resources – mining companies to evade government regulations which has resulted
in large-scale deforestation, flattened mountaintops and water pollution. As of 2017 Secretary
of the environment Gina Lopez shut down 28 of the countries 41 mining companies for
polluting the environment, However Lope was removed from her job by congress in May 2017
after mounting complaints from the pro-mining lobby.

Prevention of Corruption
● Clear business process – defined workflow
○ Revied regularly
○ Diligent record-keeping
○ Regular audit
● Policy on gifts and entertainment
○ awareness of this policy
● Declaration of conflict of interest
○ Excluding the employee from engaging in the work
○ Transferring the employee to another department or post
● Convenient corruption reporting system
○ Allowing reports to be filed anonymously through a publicized email address or
phone number

Efforts of the government to curb corruption through legislation

● Anti graft and corruption practice act
● Anti-red tape act
● Anti-money laundering act
● Government procurement reform act
● Act establishing a code of conduct and ethical standards for public officials and
employees.

Current issues on corruption in the Philippines

● Senate Probe of SEA Games Venue Contract Pressed, Philippines Inquirer, November
11, 2020, Melvin Gascon – Sen Risa Hontiveros
● Smuggled tabacco products cornered half of apprehended goods in 2020, PI, January
19, 2021, Ben de Vera
● New pastillas raps tag alleged brains – Bureau of Immigration
● Philhealth Officers Quit – ghost, double claim
 Initiatives to Improve Business Ethics and Reduce Corruption
Improvement of business ethics is a common concern of everybody. It is imperative that
all involved - manufacturers, sellers, consumers, government, and relevant organizations must
participate in improving business ethics. Unless there is a concerted effort on the part of
everybody, we cannot effectively remind businessmen and professionals of their ethical
responsibility to each other, their customers, and their clients.

Unethical practices are ever-present. Even people who have not yet been victims of
these practices are vaguely aware that they exist and agree that something must be done to
rid the world of them. Accordingly, various approaches to improving business ethics have
been brought forward not only in the Philippines but also in other countries.

Business Ethics Part. 4 - Initiative to Improve Business Ethics and Reduce

Corruption

The Integrity Initiative Campaign

In 2020, a private sector-led campaign aiming to strengthen ethical standards in

business, the INtegrity initiative was organized after the Philippines received a grant from
Siemens. Serves as the Integrity Initiative Secretariat
The Makati Business Club (MBC)
The European Chamber of Commerce of the Philippines (ECCP)
Bishops-Businessmen’s Conference Philippines - issued Code of ethics for the Philippines
Business

Purposes
1. To institutionalize integrity standards among various sectors of society
2. To help in diminishing, if not fully eradicating, the vicious cycle of corruption in the
Philippines
3. To build trust in government, a more equitable society and fair market conditions
4. The Philippines to become a benchmark in the transformation process of any country
regarded as highly corrupt to one that fosters and ethical and progressive business
environment

Corporate Values
● Managing, protecting, and enhancing reputation has become one of the greatest
challenges facing today’s board. The reputation of a business is a critical factor in the
determination of its value. The values and ethics of the organization need to be
explicitly managed.
Need for Code of Conduct
● A code of conduct is a formal expression of the organization’s values and ethics. A code
of conduct should
○ Guide directors and senior executives, as a minimum, as to the practices
necessary to maintain confidence in the organization’s integrity.
○ Promote responsibility and accountability of individuals for reporting and
investigating reports of unethical practices
○ Ensure compliance with legal and other obligations to legitimate stakeholders.

Unified Code of Conduct for Business (Integrity Initiative)

● Top Management
○ Leads by example by consistently demonstrating the value of conducting
business with integrity
○ Our officers strongly communicate our organization’s position against bribery,
corruption, and unethical business practices within the company and the broader
public, comply with all the government regulatory requirements, prohibits
cover-ups and falsified reports that conceal improper transactions
○ Management strongly supports integrity practices and allocates sufficient
resources for their implementation.

Human Resources
● Maintain open lines of communication with employees, particularly on matters relating
to honesty, transparency, and integrity in business transactions
● All employees have the right to file and respond to complaints against practices
suspected to be illegal or unethical
● Have appropriate tools to confidentially receive, monitor and act on internal and external
complaints
● Employees filing complaints will be protected from all types of retaliation, while those
involved in unethical practices will be subject to commensurate disciplinary actions
● Instituted training program on business ethics covering all level of the organization

Sales and Marketing

● Clearly communicate rules and guidelines on giving gifts, entertainment, token of
hospitality, and contributions to/from public and private organizations and their
representatives.
● Employees and all third parties engaged by our company to act as our intermediaries.
Agents or representatives are not permitted to offer, promise, or give, as well as
demand or accept concessions
● We abide by existing laws when transacting with government agencies - Anti-graft and
corruption Practices
Finance and Accounting
● Require all employees to ensure that all books and records they create or are
responsible for are complete and accurate
● Our financial records conforms to standards accounting principles, comply with SEC
requirements on disclosure and transparency, and abide by anti-money laundering laws
● We pay taxes in compliance with all laws

Procurement
● Transparent procurement procedures, provide equal opportunities for all suppliers, and
prohibits collusion between and among our employees and suppliers
● Enter into integrity pacts with our suppliers and ensure that they comply with the
provisions of our pact
● Contracting a third party to bribe or commit corrupt practices on behalf of the company
is strictly prohibited
Logistics
● Comply with law and regulations pertaining to supply chain management
● Pay correct duties and taxes based on transparent assessment of goods and services
● Employees are not penalized for refusing to pay bribes or facilitation payments even if it
results in failure to meet deadlines or loss of revenue

Implementation and Monitoring

● Continually to align our operations to the principles contained in this Code
● Periodically assess and monitor our compliance to it
● Continue to share best practices with business community to strengthen ethical
business processes in the Philippines

Code of Ethics IIA

The Code of Ethics is a statement of principles and expectations governing behavior of
individuals and organizations in the conduct of internal auditing.

RULE PRINCIPLE

Integrity The integrity of internal auditors establishes trust and thus provides the basis
for reliance on their judgment.

Objectivity Internal auditors exhibit the highest level of professional objectivity in

gathering, evaluating, and communicating information about the activity or
process being examined. Internal auditors make a balanced assessment of
all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgements.
 Confidentiality Internal auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is
a legal or professional obligation to do so.

Competency Internal auditors apply the knowledge, skills and experience needed in the
performance of internal auditing services.

The Code of Ethics

1. Integrity Principle
The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.

Internal auditors:
- Shall perform their work with honesty, diligence and responsibility.
- Shall observe the law and make disclosures expected by the law and the profession.
- Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
- Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity Principle
Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined.
Internal auditors make a balanced assessment of all the relevant circumstances and are not
unduly influenced by their own interest or by others in forming judgments.

Internal auditors:
- Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
- Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.

3. Confidentiality Principle
Principle Internal Auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a legal or
professional obligation to do so.

Internal auditors:
 - Shall be prudent in the use and protection of information acquired in the course of their
duties.
- Shall not use information for any personal gain or in any manner that would be contrary
to the law or detrimental to the legitimate and ethical objectives of the organization.

4. Compentency Principle
Internal auditors apply the knowledge, skills and experience needed in the performance
of internal auditing services.

Internal auditors:
- Shall engage only in those services for which they have the necessary knowledge, skills
and experience.
- Shall perform internal auditing services in accordance with the International Standards
for the Professional Practice of Internal Auditing.
- Shall continually improve their proficiency and the effectiveness and quality of their
services.
 IIA code of Ethic
Code of Ethics
- The Code of Ethics is a statement of principles and expectations governing behavior of
individuals
- And organizations in the conduct of internal auditing.

Code of Ethics: Purpose

- This is the full text of the Institute’s Code of Ethics.
- The purpose of the Code is to promote an ethical culture in the profession of internal
auditing.
- A code of ethics is necessary and appropriate for the profession of internal auditing,
founded as it is on the trust placed in its objective assurance about risk management,
control, and governance.

Parts of Code of Ethics

- Principles and
- Rules of Conduct

Principles of Code of Ethics

- Integrity
- Objectivity
- Confidentiality
- Competency

Rules of Conduct of Code of Ethics

- These describe behavior norms expected of internal auditors.
- These rules are an aid to interpreting the Principles into practical applications and
- are intended to guide the ethical conduct of internal auditors.

Internal Auditor
- Institute members and those two provide internal auditing services within the definition
of internal auditing.

Applicability and enforcement

- This Code of Ethics applies to both individuals and entities that provide internal auditing
services.
 - For Institute members, breaches of the Code of Ethics will be evaluated and
administered according to The Institute’s Disciplinary Procedures. The fact that a
particular conduct is not mentioned in the Rules of Conduct does not prevent it from
being unacceptable or discreditable, and therefore, the member liable to disciplinary
action.

1. Integrity Principle
- The integrity of internal auditors establishes trust thus providing the basis for
reliance on their judgment.
1.1. Shall perform their work with honesty, diligence and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the
profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the
organization.

2. Objectivity Principle
- Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being
examined.
- Internal auditors make an interest or by others in forming judgements.
2.1. Shall not participate in any activity or relationship that may impair or be
presumed to impair their unbiased assessment. This participation includes those
activities or relationships that may be in conflict with the interests of the
organization.
2.2. Shall not accept anything that may impair or be presumed to impair their
professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort
the reporting of activities under review.

3. Confidentiality Principle
- Internal auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a
legal or professional obligation to do so.
3.1. Shall be prudent in the use and protection of information acquired in the course
of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be
contrary to the law or detrimental to the legitimate and ethical objectives of the
organization.
4. Competency Principle
- Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal auditing services.
4.1. Shall engage only in those services for which they have the necessary
knowledge, skills, and experience.
4.2. Shall perform internal auditing services in accordance with the International
Standards for the Professional Practice of internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of
their services.
About the Code of Ethics
The Code of Ethics is authoritative guidance for the internal audit profession from the
Global Institute audit profession from the Global Institute of Internal Auditors. It is part of the
International Professional Practices Framework.
Members of the Chartered Institute of Internal Auditors all agree to follow the Code of
Ethics and the Code of Professional Conduct.

Risk Management
COSO - RISK MANAGEMENT FRAMEWORK

COSO - ERM - Executive Summary

EXECUTIVE SUMMARY
The underlying premise of enterprise risk management is that every entity exists to
provide value for its stakeholders. All entities face uncertainty, and the challenge for
management is to determine how much uncertainty to accept as it strives to grow
stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance
value. Enterprise risk management enables management to effectively deal with
uncertainty and associated risk and opportunity, enhancing the capacity to build value.

Value is maximized when management sets strategy and objectives to strike an

optimal balance between growth and return goals and related risks, and efficiently
and effectively deploys resources in pursuit of the entity’s objectives. Enterprise
risk management encompasses:

● Aligning risk appetite and strategy – Management considers the entity’s risk
appetite in evaluating strategic alternatives, setting related objectives, and
developing mechanisms to manage related risks.
 ● Enhancing risk response decisions – Enterprise risk management provides the
rigor to identify and select among alternative risk responses – risk avoidance,
reduction, sharing, and acceptance.
● Reducing operational surprises and losses – Entities gain enhanced capability to
identify potential events and establish responses, reducing surprises and
associated costs or losses.
● Identifying and managing multiple and cross-enterprise risks – Every enterprise
faces a myriad of risks affecting different parts of the organization, and
enterprise risk management facilitates effective response to the interrelated
impacts, and integrated responses to multiple risks.
● Seizing opportunities – By considering a full range of potential events,
management is positioned to identify and proactively realize opportunities.
● Improving deployment of capital – Obtaining robust risk information allows
management to effectively assess overall capital needs and enhance capital
allocation.

These capabilities inherent in enterprise risk management help management achieve

the entity’s performance and profitability targets and prevent loss of resources.
Enterprise risk management helps ensure effective reporting and compliance with laws
and regulations, and helps avoid damage to the entity’s reputation and associated
consequences. In sum, enterprise risk management helps an entity get to where it
wants to go and avoid pitfalls and surprises along the way.

Events – Risks and Opportunities

Events can have negative impact, positive impact, or both. Events with a
negative impact represent risks, which can prevent value creation or erode existing
value. Events with positive impact may offset negative impacts or represent
opportunities. Opportunities are the possibility that an event will occur and positively
affect the achievement of objectives, supporting value creation or preservation.
Management channels opportunities back to its strategy or objective-setting processes,
formulating plans to seize the opportunities.

Enterprise Risk Management Defined

Enterprise risk management deals with risks and opportunities affecting
value creation or preservation, defined as follows:
Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
 The definition reflects certain fundamental concepts. Enterprise risk management is:

● A process, ongoing and flowing through an entity

● Effected by people at every level of an organization
● Applied in strategy setting
● Applied across the enterprise, at every level and unit, and includes taking an entity-
level portfolio view of risk
● Designed to identify potential events that, if they occur, will affect the entity and to
manage risk within its risk appetite
● Able to provide reasonable assurance to an entity’s management and board of directors
● Geared to achievement of objectives in one or more separate but overlapping
categories

This definition is purposefully broad. It captures key concepts fundamental to how

companies and other organizations manage risk, providing a basis for application
across organizations, industries, and sectors. It focuses directly on achievement of
objectives established by a particular entity and provides a basis for defining enterprise
risk management effectiveness.

Achievement of Objectives
Within the context of an entity’s established mission or vision, management
establishes strategic objectives, selects strategy, and sets aligned objectives cascading
through the enterprise. This enterprise risk management framework is geared to
achieving an entity’s objectives, set forth in four categories:
● Strategic – high-level goals, aligned with and supporting its mission
● Operations – effective and efficient use of its resources
● Reporting – reliability of reporting
● Compliance – compliance with applicable laws and regulations.

This categorization of entity objectives allows a focus on separate aspects of enterprise

risk management. These distinct but overlapping categories – a particular objective can fall
into more than one category – address different entity needs and may be the direct
responsibility of different executives. This categorization also allows distinctions between what
can be expected from each category of objectives. Another category, safeguarding of
resources, used by some entities, also is described.

Because objectives relating to reliability of reporting and compliance with laws and
regulations are within the entity’s control, enterprise risk management can be expected to
provide reasonable assurance of achieving those objectives. Achievement of strategic
objectives and operations objectives, however, is subject to external events not always within
the entity’s control; accordingly, for these objectives, enterprise risk management can provide
reasonable assurance that management, and the board in its oversight role, are made aware,
in a timely manner, of the extent to which the entity is moving toward achievement of the
objectives.
 Components of Enterprise Risk Management

Enterprise risk management consists of eight interrelated components. These

are derived from the way management runs an enterprise and are integrated with the
management process. These components are:
● Internal Environment – The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
● Objective Setting – Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.
● Event Identification – Internal and external events affecting achievement of
an entity’s objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channeled back to management’s strategy
or objective-setting processes.
● Risk Assessment – Risks are analyzed, considering likelihood and impact,
as a basis for determining how they should be managed. Risks are
assessed on an inherent and a residual basis.
● Risk Response – Management selects risk responses – avoiding,
accepting, reducing, or sharing risk – developing a set of actions to align
risks with the entity’s risk tolerances and risk appetite.
● Control Activities – Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
● Information and Communication – Relevant information is identified,
captured, and communicated in a form and timeframe that enable people
to carry out their responsibilities. Effective communication also occurs in a
broader sense, flowing down, across, and up the entity.
● Monitoring – The entirety of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through
ongoing management activities, separate evaluations, or both.

Enterprise risk management is not strictly a serial process, where one component affects only
the next. It is a multidirectional, iterative process in which almost any component can and does
influence another.

Relationship of Objectives and Components

There is a direct relationship between objectives, which are what an entity strives to achieve,
and enterprise risk management components, which represent what is needed to achieve
them. The relationship is depicted in a three-dimensional matrix, in the form of a cube.
 The four objective categories – strategic,
operations, reporting, and compliance –
are represented by the vertical columns,
the eight components by horizontal rows,
and an entity’s units by the third
dimension. This depiction portrays the
ability to focus on the entirety of an entity’s
enterprise risk management, or by
objectives category, component, entity
unit, or any subset thereof.

Effectiveness
Determining whether an entity’s enterprise risk management is “effective” is a judgment
resulting from an assessment of whether the eight components are present and functioning
effectively. Thus, the components are also criteria for effective enterprise risk management. For
the components to be present and functioning properly there can be no material weaknesses,
and risk needs to have been brought within the entity’s risk appetite.

When enterprise risk management is determined to be effective in each of the four categories
of objectives, respectively, the board of directors and management have reasonable
assurance that they understand the extent to which the entity’s strategic and operations
objectives are being achieved, and that the entity’s reporting is reliable and applicable laws
and regulations are being complied with.

The eight components will not function identically in every entity. Application in small and
mid-size entities, for example, may be less formal and less structured. Nonetheless, small
entities still can have effective enterprise risk management, as long as each of the
components is present and functioning properly.

Limitations
While enterprise risk management provides important benefits, limitations exist. In addition
to factors discussed above, limitations result from the realities that human judgment in
decision making can be faulty, decisions on responding to risk and establishing controls
need to consider the relative costs and benefits, breakdowns can occur because of human
failures such as simple errors or mistakes, controls can be circumvented by collusion of two
or more people, and management has the ability to override enterprise risk management
decisions. These limitations preclude a board and management from having absolute
assurance as to achievement of the entity’s objectives.

Encompasses Internal Control

Internal control is an integral part of enterprise risk management. This enterprise risk
management framework encompasses internal control, forming a more robust
conceptualization and tool for management. Internal control is defined and described in
Internal Control – Integrated Framework. Because that framework has stood the test of
time and is the basis for existing rules, regulations, and laws, that document remains in
place as the definition of and framework for internal control. While only portions of the
text of Internal Control – Integrated Framework are reproduced in this framework, the
entirety of that framework is incorporated by reference into this one.

Roles and Responsibilities

Everyone in an entity has some responsibility for enterprise risk management. The
chief executive officer is ultimately responsible and should assume ownership. Other
managers support the entity’s risk management philosophy, promote compliance with
its risk appetite, and manage risks within their spheres of responsibility consistent with
risk tolerances. A risk officer, financial officer, internal auditor, and others usually have
key support responsibilities. Other entity personnel are responsible for executing
enterprise risk management in accordance with established directives and protocols.
The board of directors provides important oversight to enterprise risk management, and
is aware of and concurs with the entity’s risk appetite. A number of external parties,
such as customers, vendors, business partners, external auditors, regulators, and
financial analysts often provide information useful in effecting enterprise risk
management, but they are not responsible for the effectiveness of, nor are they a part
of, the entity’s enterprise risk management.

Organization of This Report

This report is in two volumes. The first volume contains the Framework as well as this
Executive Summary. The Framework defines enterprise risk management and
describes principles and concepts, providing direction for all levels of management in
businesses and other organizations to use in evaluating and enhancing the
effectiveness of enterprise risk management. This Executive Summary is a high-level
overview directed to chief executives, other senior executives, board members, and
regulators. The second volume, Application Techniques, provides illustrations of
techniques useful in applying elements of the framework.

Use of This Report

Suggested actions that might be taken as a result of this report depend on position
and role of the parties involved:
● Board of Directors – The board should discuss with senior management the state of the
entity’s enterprise risk management and provide oversight as needed. The board should
ensure it is apprised of the most significant risks, along with actions management is
taking and how it is ensuring effective enterprise risk management. The board should
consider seeking input from internal auditors, external auditors, and others.
● Senior Management – This study suggests that the chief executive assess the
organization’s enterprise risk management capabilities. In one approach, the chief
executive brings together business unit heads and key functional staff to discuss an
initial assessment of enterprise risk management capabilities and effectiveness.
Whatever its form, an initial assessment should determine whether there is a need for,
and how to proceed with, a broader, more in-depth evaluation.
● Other Entity Personnel – Managers and other personnel should consider how they are
conducting their responsibilities in light of this framework and discuss with more- senior
personnel ideas for strengthening enterprise risk management. Internal auditors should
consider the breadth of their focus on enterprise risk management.
● Regulators – This framework can promote a shared view of enterprise risk
management, including what it can do and its limitations. Regulators may refer to this
framework in establishing expectations, whether by rule or guidance or in conducting
examinations, for entities they oversee.
● Professional Organizations – Rule-making and other professional organizations
providing guidance on financial management, auditing, and related topics should
consider their standards and guidance in light of this framework. To the extent diversity
in concepts and terminology is eliminated, all parties benefit.
● Educators – This framework might be the subject of academic research and analysis, to
see where future enhancements can be made. With the presumption that this report
becomes accepted as a common ground for understanding, its concepts and terms
should find their way into university curricula.

With this foundation for mutual understanding, all parties will be able to speak a
common language and communicate more effectively. Business executives will be
positioned to assess their company’s enterprise risk management process against a
standard, and strengthen the process and move their enterprise toward established
goals. Future research can be leveraged off an established base. Legislators and
regulators will be able to gain an increased understanding of enterprise risk
management, including its benefits and limitations. With all parties utilizing a common
enterprise risk management framework, these benefits will be realized.

COSO_ERM

ERM Defined:
 “... a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
objectives.”

Why ERM is Important

Underlying principles:
● Every entity, whether for-profit or not, exists to realize value for its stakeholders.
● Value is created, preserved, or eroded by management decisions in all activities, from
setting strategy to operating the enterprise day-to-day.

ERM supports value creation by enabling management to:

● Deal effectively with potential future events that create uncertainty
● Respond in a manner that reduces the likelihood of downside outcomes and increases
the upside.

Enterprise Risk Management - Integrated Framework

This COSO ERM framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk management.

The ERM Framework

Entity objectives can be viewed in the context of four categories:
● Strategic
● Operations
● Reporting
● Compliance

The eight components of the framework are interrelated.

Enterprise risk management requires an entity to take a portfolio view of risk.

● Management considers how individual risk interrelates.
● Management develops a portfolio view from two perspectives:
- Business unit level
- Entity level

Internal Environment
 ● Establishes a philosophy regarding risk management. It recognizes that unexpected as
well as expected events may occur.
● Establishes the entity’s risk culture.
● Consider all other aspects of how the organization’s actions may affect its risk culture.

Risk Culture
● set of encouraged and acceptable behaviors, discussions, decisions and attitudes
toward taking and managing risk within an institution.
● is the glue that binds all elements of risk management infrastructure together, because
it reflects the shared values, goals, practices and reinforcement mechanisms that
embed risk into an organization’s decision-making processes and risk management into
its operating processes.
● it is a look into the soul of an organization to ascertain whether risk/reward trade-offs
really matter.

Objective Setting
● is applied when management considers risks strategy in the setting of objectives.
● Forms the risk appetite of the entity - a high-level view of how much risk management
and the board are willing to accept.
● Risk tolerance, the acceptable level of variation around objectives, is aligned with risk
appetite.

Event Identification

● Differentiates risks and opportunities.

● Events that may have a negative impact represent risks.
● Events that may have a positive impact represent natural offsets (opportunities), which
management channels back to strategy setting.
● Involves identifying those incidents, occurring internally or externally, that could affect
strategy and achievement of objectives.
● Addresses how internal and external factors combine and interact to influence the risk
profile.

Risk Assessment

● Allows an entity to understand the extent to which potential events might impact
objectives.
● Assesses risks from two perspectives:
- Likelihood
- Impact
 ● Is used to assess risks and is normally used to measure the related objectives.
● Employs a combination of both qualitative and quantitative risk assessment
methodologies.
● Relates time horizons to objective horizons.
● Assesses risk on both an inherent and a residual basis.
● Inherent Risk is typically defined as the level of risk in place in order to achieve an
entity’s objectives and before actions are taken to alter the risk’s impact or likelihood.
● Residual Risk is the remaining level of risk following the development and
implementation of the entity’s response.

The steps between the assessment of inherent risk and the final evaluation of residual risk

1. Risk Response - Management designs risk responses at various levels based on the
analysis of the risk (impact and likelihood) and on the defined level of risk tolerance.
The response typically includes the categories of acceptance, avoidance, reduction,
and sharing.
2. Establishment of Controls - Controls are typically established in those operations areas
that are essential, and acceptance is too risky, and avoidance and sharing are not
possible or practical.
● A control is any activity which mitigates or reduces risk, but typically it involves
an additional activity to ensure that a process occurs as it should. Cost vs
benefit is always considered in the establishment of controls.
3. Testing and Assessment of Internal Controls - To ensure that controls are operating
efficiently, testing is usually necessary, particularly in automated processes. The testing
provides confidence that controls have reduced risk to a tolerable level.
4. Corrective Action - is warranted when a control is weak, not in place, or not functioning
properly. These actions are documented and added to the entity’s risk assessment plan
with a timeline for action.
● Testing can be time-consuming and not always possible, and an alternative is to
combine on-going monitoring with a regular review of control design to provide
assurance that activities are being carried out in a timely and accurate manner.

Risk Response

● Identifies and evaluates possible responses to risk.

● Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk
responses, and degree to which a response will reduce impact and/or likelihood.
● Selects and executes response based on evaluation of the portfolio of risks and
responses.

Control Activities

● Policies and procedures that help ensure that the risk responses, as well as other entity
directives, are carried out.
● Occur throughout the organization, at all levels and in all functions.
 ● Include application and general information technology controls.

Information and Communication

● Management identifies, captures, and communicates pertinent information in a form and

timeframe that enables people to carry out their responsibilities.
● Communicating occurs in a broader sense, flowing down, across, and up the
organization.

Monitoring
Effectiveness of the other ERM components is monitored through:
● Ongoing monitoring activities.
● Separate evaluations.
● A combination of the two.

Internal Control
A strong system of internal control is essential to effective enterprise risk management.

Relationship to Internal Control - Integrated Framework

● Expands and elaborates on elements of internal control as set out in COSO’s “control
framework.”
● Includes objective setting as a separate component. Objectives are a “prerequisite” for
internal control.
● Expands the control framework’s “Financial Reporting” and “Risk Assessment.”

ERM Roles and Responsibilities

● Management
● The Board of Directors
● Risk Officers
● Internal Auditors

Internal Auditors
● Play an important role in monitoring ERM, but do NOT have primary responsibility for its
implementation or maintenance.
● Assist management and the board or audit committee in the process by:
- Monitoring
- Evaluating
- Examining
- Reporting
- Recommending Improvements
Standards
● 2010.A1 - The internal audit activity’s plan of engagement should be based on a risk
assessment, undertaken at least annually.
● 2120.A1 - Based on the results of the risk assessment, the internal audit activity should
evaluate the adequacy and effectiveness of controls encompassing the organization’s
governance, operations, and information systems.
● 2210.A1 - When planning the engagement, the internal auditor should identify and
assess risks relevant to the activity under review. The engagement objectives should
reflect the results of the risk assessment.

Key Implementation Factors

1. Organizational design of business
2. Establishing an ERm organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight and periodic review by management

Organizational Design
● Strategies of the business
● Key business objectives
● Related objectives that cascade down to the organization from key business objectives
● Assignment of responsibilities to organizational elements and leaders (linkage)

Example: Linkage
● Mission - To provide high-quality accessible and affordable community-based health
care
● Strategic Objective - To be first or second largest, full-service health care provider in
mid-size metropolitan markets.
● Related Objective - To initiate dialogue with leadership of 10 top under-performing
hospitals and negotiate agreements with two this year.

Establish ERM
● Determine a risk philosophy
● Survey risk culture
● Consider organizational integrity and ethical values
 ● Decide roles and responsibilities

Assess Risk
Risk assessment is the identification and analysis of risks to the achievement of business
objectives. It forms a basis for determining how risks should be managed.

Example: Risk Model

● Environmental Risks
○ Capital Availability
○ Regulatory, Political, and Legal
○ Financial Markets and Shareholder Relations

● Process Risks
○ Operation Risk
○ Empowerment Risk
○ Information Processing / Technology Risk
○ Integrity Risk
○ Financial Risk

● Information for Decision Making

○ Operational Risk
○ Financial Risk
○ Strategic Risk

Environment Risk
actual or potential threat of adverse effects on living organisms and the environment by
effluents, emissions, radiation, wastes, resource depletion, etc., arising out of an
organization’s activities.
Environmental exposures, whether physical, chemical or biological, can induce a harmful
response and may affect soil, water, air, natural resources or entire ecosystems, as well as the
plants and animals - including humans - and the surroundings where they live.

Impact of Environmental Risk

● Damage to brand reputation
● Penalties for violation
● Damages resulting from faulty or defective construction or materials
● Losses from first - and third party property and material liability
● Expenses for clean-up of emissions
● Business interruption losses during contamination removal
● Costs associated with premiums, litigation, investigation, and compliance
 ● Expenses for remediation measures
● Historical (pre-existing) coverage for past events or operations
● Demonstrating financial assurance to satisfy regulation requirements in a contamination
event: financial security, complete and complementary mechanisms (i.e. bonds, surety),
closure and post-closure care of hazardous waste facilities and landfills, etc.

Process Risk
- is a loss in revenue as a result of ineffective and/or inefficient processes.
- Ineffective processes hamper the achievement of the organization’s objectives,
- whereas the processes that are inefficient, may be successful in achieving objectives,
yet fail to consider high costs incurred

Types of Process Risk

1. Infrastructure Risk
Infrastructure outages such as failure of basic communications linkages can trigger
process failures.

2. Information Technology Risk

The risk of technology errors or security incidents that disrupt or invalid processes.

3. Human Error
Errors or oversights can result in low quality or failed processes. For example, if a stock
trader incorrectly enters an order the order may execute at the wrong price or quantity,
potentially representing a significant loss. It is often possible to reduce human error by
designing processes that are human-friendly and error tolerant.

4. Workplace Safety
Potential threats to human health and safety such as a physical accident or injury due to
repetitive strains.

5. Mechanical Failure
Breakdown of equipment can disrupt processes such as manufacturing or supply chain
operations.

6. Process Quality
 In many cases, it is the quality of a process itself that leads to failures. A low quality
process may not properly anticipate real world conditions and may break down with
changes in the business environment. For example, a customer service process may
work under normal conditions but may fail when call volumes spike.

Operational Risk
is “the risk of a change in value caused by the fact that actual losses, incurred for inadequate or
failed internal processes, people and systems, or from external events (including legal risk),
differ from the expected losses”.

Employee Empowerment
entails giving employees the authority to make critical business decisions on their own with little
to no supervision.

Employee Empowerment Risk

● Increased Arrogance
○ When employees are empowered, their confidence levels tent to increase.
(Positive)
○ confidence is a good thing because it creates happier workers and productivity
levels soar. (Positive)
○ confidence levels can be taken too far and end up crossing the line into
arrogance. (Negative)

Employee Empowerment Risk: Confidentiality and Security Risks

● Sharing important information with them. This free exchange of ideas and information
makes the employees feel appreciated and important (Positive)
● take on more responsibility within the company. As they take on more responsibility,
they begin working independently with little to no supervision (Positive)
● saves them money by decreasing their managerial workforce (Positive)
● When information is freely exchanges with people throughout the company, there is an
increased risk of confidential and security-related data (Negative)
● managers and supervisors who are educated and trained in making sound decisions
(Negative)
● The lack of experience lends to an increase in mistakes and unnecessary company
risks. (Negative)

Employee Empowerment Risk: Interpersonal Relations Suffer

● Confuse empowerment and being able to make their own decisions with having the
authority to do whatever they want. (negative)
● Take on additional responsibilities, some may end up taking things too far. (negative)
 ● Interpersonal relations within the company will suffer and incidents involving conflict will
rise. (negative)

Technology Risk
● The potential for losses due to technology failures.
- An ecommerce website crashes resulting in lost revenue.
- A technology project goes over budget and fails to meet goals set out in its
business case.
- A security incident results in theft of customer data resulting in legal liability,
reputational damage and compliance issues.

Integrity Risk
● the probability that integrity is not achieved
- Operations
- Performance

- Financial reporting
- Reliable, transparent

- Compliance
- Honest

Financial Risk
possibility that shareholders or other financial stakeholders will lose money when they invest
in a company that has debt if the company’s cash flow proves inadequate to meet its financial
obligations.
When a company uses debt financing, its creditors are repaid before shareholders if the
company becomes insolvent.

Types of Financial Risk

● Credit risk, also referred to as default risk, is the type of risk associated with people who
borrow money and become unable to pay for the money they borrowed.
- decrease income from loan payments,
- lost principal and interest, or they deal with a rise in
- costs for collection
● Liquidity risk involves securities and assets that cannot be purchased or sold quickly
enough to cut losses in a volatile market.
● Currency Risk
○ interest rate changes and monetary policy changes, can alter the value of the
asset that investors are holding.
 ○ changes in prices because of market differences, political changes, natural
calamities, diplomatic changes or economic conflicts - investment risk
● Strategic Risk
○ is the risk that failed business decisions, or lack thereof, may pose to a
company.
○ Is often a major factor in determining a company’s worth, particularly observable
if the company experiences a sharp decline in a short period of time.
○ Due to this and its influence on compliance risk, it is a leading factor in modern
risk management.
○ companies whose cultures do not put a strong emphasis on integrity, have been
found to be 10 times more likely to commit unethical acts than those who do.
○ customer service strategies - chiefly, the idea that a customer service worker
can to please the customer, or what many call “going the extra mile”.

Steps in risk assessment

● Identify
- Risk and opportunities
- Who/what are affected
- Scope of impact
● Evaluate - measure
- Who/want are affected
- Scope of impact
● Select and execute
- Prioritize according to impact

Risk Management
 ● Control
- setting internal controls
- reducing/mitigate - lessen the impact
- Accept - low impact
● Transfer
- Share the liability (insurance, out-sorced)
● Avoid
- High impact (reschedule, stop)

Risk Monitoring
● Risk monitoring is the ongoing process of managing risk.
- Residual risk
- New risk
● Risk monitoring is the process of tracking risk management execution and continuing to
identify and manage new risks.

Determine Risk Appetite

● Risk appetite is the amount of risk - on a broad level - an entity is willing to accept in
pursuit of value.
● Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and
consider risk tolerance (range of acceptable variation).

Key questions:
● What risks will the organization not accept?
(e.g. environmental or quality compromise)
● What risks will the organization take on new initiatives?
(e.g. new product lines)
● What risks will the organization accept for competing objectives?
(e.g. gross profit vs. market share)

Identify Risk Responses

● Quantification of risk exposure
● Options available:
○ Accept = monitor
○ Avoid = eliminate (get out of situation)
○ Reduce = institute controls
○ Share = partner with someone (e.g. insurance)
● Residual risk (unmitigated risk - e.g. shrinkage)
Communicate Results
● Dashboard of risks and related responses (visual status of where key risks stand
relative to risk tolerances)
● Flowcharts of processes with key controls noted
● Narratives of business objectives linked to operational risks and responses
● List of key risks to be monitored or used
● Management understanding of key business risk responsibility and communication of
assignments

Monitor
● Collect and display information
● Perform analysis
- Risks are being property addressed
- Controls are working to mitigate risks

Management Oversight and Periodic Review

● Accountability for risks
● Ownership
● Updates
○ Changes in business objectives
○ Changes in systems
○ Changes in processes

Internal auditors can add value by:

● Reviewing critical control systems and risk management processes.
● Performing an effectiveness review of management’s risk assessments and the internal
controls.
● Providing advice in the design and improvement of control systems and risk mitigation
strategies.
● Implementing a risk-based approach to planning and executing the internal audit
process.
● Ensuring that internal auditing’s resources are directed at those areas most important to
the organization.
● Challenging the basis of management’s risk assessments and evaluating the adequacy
and effectiveness of risk treatment strategies.
● Facilitating ERM workshops.
● Defining risk tolerances where none have been identified, based on internal auditing’s
experience, judgment, and consultation with management.
ERM-FAQs

Comprising the professional associations listed above, the Committee of Sponsoring

Organizations (COSO) is a voluntary private-sector organization. COSO is dedicated to
guiding executive management and governance entities toward the establishment of more
effective, efficient, and ethical business operations on a global basis. It sponsors and
disseminates frameworks and guidance based on in-depth research, analysis, and best
practices.

FAQs for COSO's Enterprise Risk Management — Integrated Framework

A. What is the framework and how do I get it?

1. What is in the framework?

The framework describes the critical principles and components of an effective
enterprise risk management process, setting forth how all important risks should be
identified, assessed, responded to and controlled. It also provides a common language,
so that when executives, directors and others talk about risk management, they are
truly communicating.
The framework sets forth how a company applies enterprise risk management in its
strategic planning and also describes techniques some companies are using in
identifying and managing risk. Importantly, the framework emphasizes how an effective
enterprise risk management process identifies not only the downside, but also the
upside, or opportunities that can be seized to enhance profitability and return. The
framework also describes roles of key players in the enterprise risk management
process.

2. Where can I find the framework?

An executive summary of the Framework is posted in .pdf format on www.coso.org.

There, you will also be able to place an order for either a hard copy or electronic copy of
the two-volume set that includes the executive summary as well as the Enterprise Risk
Management – Integrated Framework and associated Application Techniques. The
same charge ($75 or $50 for members of COSO organizations) applies to both hard
and soft copy

B. Why is this a framework that organizations should support?

1. What limitations of existing enterprise risk management models

prompted creation of a new framework?

There have been a wide variety of frameworks utilized across companies and across
countries. Some of these focus narrowly on risk management (rather than enterprise risk
management). Others focus on specific industries or specific types of risk. In addition,
many of these focus on mechanisms for reducing — rather than managing — risk. By
contrast, the COSO Enterprise Risk Management – Integrated Framework addresses
enterprise risk management applicable to all industries and encompassing all types of
risk. Moreover, the framework recognizes that an effective enterprise risk management
process must be applied within the context of strategy setting. This is a fundamental
difference from most risk models used to date. It starts with the top of the organization and
supports an organization’s major mission.

In addition, many of the pre-existing frameworks stood by themselves, and thus tended to
be implemented within functions. As a result, many risk management practices have been
implemented in silos (i.e., in one part or one function of the organization). Consequently,
risk management may be done very well in one section, but not consider how actions of
other parts of the organization affect their risks, or it might not capture the overall significant
risks that the organization faces. The Enterprise Risk Management – Integrated Framework
presents an enterprise-wide perspective of risk and standardizes terms and concepts to
promote effective implementation across the organization.

2. How might the framework assist organizations in structuring their entities to best
manage exposure to risk?

By formally organizing risk management responsibilities and activities an organization is

much better positioned to achieve its objectives. To achieve its business objectives,
management will want to ensure that sound risk management processes are in place and
functioning. Board and audit committees have an oversight role to determine that
appropriate risk management processes are in place and that these processes are
adequate and effective. The COSO Enterprise Risk Management – Integrated Framework
provides comprehensive guidance on each of these points and includes numerous
examples of approaches used by risk management practitioners in a diverse group of
organizations.

3. Is there such a thing as being overly conscientious about risk?

The purpose of an entity is to provide goods and services that people value. The pursuit
of that goal is paramount in most organizations. An organization that focuses more on risk
management than on pursing its primary goals is likely to under perform.

C. What are some of the key concepts established in this framework?

1. What is the difference between risk appetite and risk tolerance?

Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared
to accept. Risk appetite is a higher level statement that considers broadly the levels of
risks that management deems acceptable while risk tolerances are more narrow and set
the acceptable level of variation around objectives. For instance, a company that says that
it does not accept risks that could result in a significant loss of its revenue base is
expressing appetite. When the same company says that it does not wish to accept risks
that would cause revenue from its top-10 customers to decline by more than 10% it is
expressing tolerance. Operating within risk tolerances provides management greater
assurance that the company remains within its risk appetite, which, in turn, provides a
higher degree of comfort that the company will achieve its objectives.

2. How does an organization determine the right amount of risk for the value it is
trying to create for stakeholders and how should it communicate its risk policy to
stakeholders?
The level of risk that an entity is willing to accept is a management decision – and there
is no right answer to this question. One company’s management will pursue a
higher-risk strategy while another will pursue a lower risk strategy. The shareholder
should understand the risk chosen by management and invest in accordance with
his/her own tolerances for potential variation in stock performance. Organizations
communicate the levels of risk accepted through the MDA, quarterly and annual
reports, press releases, investor calls, etc.

3. What is the relationship between effective enterprise risk management and

improved financial reporting and transparency?

There are natural linkages between enterprise risk management, improved financial
reporting and transparency. The Enterprise Risk Management – Integrated Framework
requires that organizations establish a risk appetite, measure actions and decisions against
that risk appetite and communicate results. Communication of enterprise risk management
to users of financial information clearly enhances transparency.

4. Is this intended for private organizations? Is there any organization this is not
intended for?

Enterprise risk management is a process that companies of all sizes and degrees of
sophistication should consider. The framework is scalable, enabling companies to be able
to match the process to the company’s complexity and sophistication. There is an intrinsic
expectation that all organizations be they for profit, not-for-profit, government organizations,
etc, each work to manage risk. The Enterprise Risk Management – Integrated Framework
will facilitate the process.

D. How does this framework relate to COSO's Internal Control Framework?

1. Are you replacing the Internal Control Framework with the Enterprise Risk
Management Framework?

The Internal Control – Integrated Framework is conceptually sound and has stood the test
of time. The Enterprise Risk Management – Integrated Framework is a broader framework
that incorporates the internal control framework within it. In other words, one approach to
risk is to develop controls to mitigate the risks. The frameworks are compatible and are
based on the same conceptual foundation. We believe the consistent conceptual
underpinnings are a major strength of the two models. Appendix C of the Enterprise Risk
 Management – Integrated Framework provides a detailed discussion of the relationship to
Internal Control – Integrated Framework.

2. What is the relationship between technology controls and effective enterprise risk
management?

The Enterprise Risk Management – Integrated Framework requires feedback of

information from throughout the company. This information must be current and
accurate and must be robust enough to support the analysis of different risk
responses. Therefore, the technology that provides this data must have the highest
levels of integrity and controls. Enterprise risk management cannot be effective if
the technology that provides the data used to manage risk is flawed. Controls
related to technology, also referred to as general computer controls, were also
discussed in the Internal Control – Integrated Framework.

3. If you have good internal control, isn’t that a way of managing risk?

A strong system of internal control supports the achievement of the organization’s

business objectives and therefore good internal control is a way of managing risk.
However, enterprise risk management is much broader than internal control. In addition to
supporting management’s efforts to achieve business objectives, it aligns risk
management with strategy setting and aids a company’s ability to assess whether the
organization is accepting risk appropriately.

4. What does the new framework offer clients that are focusing on internal control?
Companies that want to move beyond internal control and get more out of their efforts, now
have a framework that will help them go to the next level. As the Enterprise Risk
Management – Integrated Framework includes the concepts and components initially
developed in the Internal Control – Integrated Framework, expanding their practices to
incorporate risk management will be more evolutionary and not require that they ―throw
away‖ all of the previous efforts. The Enterprise Risk Management – Integrated Framework
details, for the first time, the link between value, risk, strategy, objective setting,
performance measurement, risk response and control processes.

E.How might organizations view the framework in the context of their

Sarbanes-Oxley 404 compliance process?

1. With the significant amount of implementation efforts companies are currently

undertaking for Sarbanes-Oxley compliance and adoption of new accounting
standards, why should companies be motivated to implement enterprise risk
management?

The implementation of COSO’s Enterprise Risk Management – Integrated Framework

will provide long term benefits to an organization and therefore should be viewed with a
longer term implementation perspective. The current emphasis on control in
Sarbanes-Oxley is primarily focused on financial reporting. However, there are
additional aspects of risk management that go beyond internal controls and are rooted
in the strategy setting activities of a company and in the management analysis of risk
appetite and risk tolerance necessary to pursue its objectives as a company.

Not all companies are at the same level of expertise or knowledge of risk management
techniques and approaches vary widely. Continued adoption of the Enterprise Risk
Management Framework by both companies and academics will result in a more
consistent approach to risk management as companies strive to create value for
stakeholders.

2. What makes this different from the internal control framework? How does it
relate to Sarbanes-Oxley reporting?

The Enterprise Risk Management – Integrated Framework is broader than internal

control, and actually incorporates the key concepts set out in COSO's earlier Internal
Control – Integrated Framework. While there are several differences, the three points
that are probably the most prominent are that risk management considers risks during
strategy setting, requires management to form a view of how much risk the
organizations is prepared to accept – known as risk appetite – and requires that risk
management be done outside of silos through a portfolio view of the organization's
risks.

Much of the internal control focus today is on only one aspect of internal control – internal
controls over financial reporting for Sarbanes-Oxley 404. This is distinct from reporting on risk
management.

F. How do people in an organization intersect with this framework?

1. What is the role of the board in enterprise risk management? How does this
framework help them?

The Board provides oversight of enterprise risk management. They will be asked to
understand key elements of enterprise risk management, inquire of management about
risks, and concur on certain management decisions. However, the board is not in the
position of making choices on behalf of management and does not alleviate
managements role in enterprise risk management.

2. What is the role of the CFO and others in the financial management organization
in enterprise risk management? How will this framework help them?

The CFO and the financial organization play a key role in providing the needed disciplines
and procedures to establish risk management as an integral part of the business strategy
setting process. The CFO provides the organization with analytical tools to help determine
risk appetite and risk tolerance. The CFO is well positioned to look across the businesses
and functions within a company to develop and implement the portfolio view of risk. He/she
has the experience and knowledge to establish controls necessary to assure that the
evaluation of risk is a continuing and integral part of the management process and is
consistent with the risk management philosophy agreed to with the board.

3. What is the role of internal auditors in enterprise risk management? How will
this framework help them?

Board and audit committees have an oversight role to determine that appropriate risk
management processes are in place and that these processes are adequate and
effective. Internal auditors can assist both management and the audit committee by
examining, evaluating, reporting, and recommending improvements on the adequacy
and effectiveness of management’s risk management processes. The COSO Enterprise
Risk Management – Integrated Framework provides a benchmark for internal auditors to
use in the evaluation of their organization’s risk management efforts.

4. Who are the potential implementers of the framework?

The framework is robust. It works best when an organization develops an integrated

process to address risk throughout the organization, and further, that risk approach is led
from the top of the organization. The framework can be used in all functional areas,
including information technology, finance, accounting, internal audit and risk specialists
within any organization. However, the framework is designed to promote entity-wide
capabilities for identifying, documenting, and dealing with risk on a consistent basis.
Chapter 10 of the Enterprise Risk Management Framework – Integrated Framework
addresses roles and responsibilities in detail.
 Inherent vs. Residual Risk

Consideration of both inherent and residual risk is one of the most important aspects of
enterprise risk management. Inherent Risk is typically defined as the level of risk in place in
order to achieve an entity’s objectives and before actions are taken to alter the risk’s impact
or likelihood. Residual Risk is the remaining level of risk following the development and
implementation of the entity’s response.

Inherent vs. Residual Risk:

The difference between the inherent and residual risk may be imagined or visualized as water
flowing through a filter. Inherent risk is above the filter, which constitutes management controls.
A smaller pool of residual risk remains.

Inherent risk is established only after the entity’s key objectives have been defined, and steps
have been taken to identify what could go wrong to prevent the entity from achieving those
objectives. In addition to impact and likelihood, management considers the nature of the risk,
whether the risk results from fraud, natural events such as storms, or complex or unusual
business transactions. The origin and character of the risk contributes to understanding its
potential impact and likelihood of occurrence.

Risk Assessment:

The risks included in the initial risk identification process are usually referred to as a “risk
universe,” – a listing of the risks that entity faces. These risks are typically organized by
standard risk categories such a strategic, financial, operational, compliance, but may also be
divided into sub-categories based on function, division, sections, etc.

The steps between the assessment of inherent risk and the final evaluation of residual risk may
vary somewhat from entity to entity. They typically include much of the core process of
enterprise risk management, and will typically involve the following steps:

· Risk Response – Management designs risk responses at various levels based on

the analysis of the risk (impact and likelihood) and on the defined level of risk tolerance.
The response typically includes the categories of acceptance, avoidance, reduction,
and sharing.

· Establishment of Controls – Controls are typically established in those

operations areas that are essential, and acceptance is too risky, and avoidance and
sharing are not possible or practical. A control is any activity which mitigates or
reduces risk, but typically it involves an additional activity to ensure that a process
occurs as it should. Cost vs benefit is always considered in the establishment of
controls.
 · Testing and Assessment of Internal Controls – To ensure that controls are
operating efficiently, testing is usually necessary, particularly in automated processes.
The testing provides confidence that controls have reduced risk to a tolerable level.

· Corrective Action – Corrective action is warranted when a control is weak, not in place,
or not functioning properly. These actions are documented and added to the entity’s risk
assessment plan with a timeline for action. Testing can be time-consuming and not always
possible, and an alternative is to combine on-going monitoring with a regular review of control
design to provide assurance that activities are being carried out in a timely and accurate
manner.

The Revised COSO Enterprise Risk Guidance (Aligning Risk with Strategy and Performance,
June, 2016) identified a new principle – the organization identifies “risk in execution” that
impacts the achievement of business objectives. This requirement highlights the importance of
identifying new, emerging and changing risk. Examples would include a change in business
objectives, a change in business context, and a change that was previously unknown or was
previously unidentified. The new COSO guidance also cautions against bias in assessment, in
which one’s personal point of view plays an unproportioned role in the evaluation of risk.

Enterprise risk management requires the organization to consider the potential implications
of a risk profile from an entity-wide perspective. This requires the completion of a final
executive level report, which presents and categorizes residual risks. Often a “heat map” is
used to display the severity of one risk to another, and categorize and identify key obstacles
to the achievement of objectives.
Internal Controls

Internal Control System

Internal Control system means all the policies and procedures (internal controls) adopted by
the management of an entity to assist in achieving management's objective of ensuring, as far
as practicable, the orderly, safeguarding of assets, the prevention and detection of fraud and
error, the accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information.

Internal Controls

Internal Control is a process, effected by an entity’s board of directors, management, and

other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to: