Summary of Corporate Governance for

Assignment Week 14

Lecturer : Dr. Vera Diyanty, S.E., M.M

Presented by Group 3 :

Aghna Mahardhika (1506726422)

Muhammad Rizki Ramadhan (1506731473)

FAKULTAS EKONOMI DAN BISNIS

UNIVERSITAS INDONESIA

2018
1. THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT
AND CONTROL
The Three Lines of Defense model provides a simple and effective way to improve
communication on risk management and control by clarifying important roles and tasks.
The model provides a new look at the operation, can help ensure the ongoing and
appropriate success of risk management initiatives for any organization - regardless of
size or complexity. Even within organizations where a formal risk management
framework or system does not exist, The Three Lines of Defense model can improve
clarity about risk and control and help improve the effectiveness of risk management
systems.

Gambar 1. The Three Lines of Defense Model (IIA Position Paper)

Eventhough the governing bodies and senior management are not considered to be in the model,
they are still the primary stakeholders served by the lines because risk management process could
not be completed without considering their essential role. So, their position in the model is to help
ensure that the model is reflected in the organization’s risk management and control processes.
They have responsibility and accountability for setting the organization’s objectives, defining
strategies to achieve those objectives, and establishing governance structures and processes to best
manage the risks in accomplishing those objectives.
1. The First Line of Defense: Operational Management (Functions that own and manage
risks)
Operational management is responsible for maintaining effective internal controls and for
executing risk and control procedures on a day-to-day basis. Operational management
naturally serves as the first line of defense because controls are designed into systems and
processes under their guidance of operational management. There should be adequate
managerial and supervisory controls in place to ensure compliance and to highlight control
breakdown, inadequate processes, and unexpected events.
2. The Second Line of Defense: Risk Management and Compliance (Functions that oversee
risks)
Management establishes various risk management and compliance functions to help build
and/or monitor the first line-of-defense controls. There are three specific functions that will be
performed by the second line of defense : risk management function, compliance function, and
controllership function. Management establishes these functions to ensure the first line of
defense is properly designed, in place, and operating as intended. Each of these functions has
some degree of independence from the first line of defense, but they are by nature management
functions. As management functions, they may intervene directly in modifying and developing
the internal control and risk systems. Therefore, the second line of defense serves a vital purpose
but cannot offer truly independent analyses to governing bodies regarding risk management
and internal controls.
3. The Third Line of Defense: Internal Audit (Functions that provide independent
assurance)
Internal auditors provide the governing body and senior management with comprehensive
assurance based on the highest level of independence and objectivity within the organization.
It provides assurance on the effectiveness of governance, risk management, and internal
controls, including the manner in which the first and second lines of defense achieve risk
management and control objectives. The scope of this assurance covers a broad range of
objectives, all elements of the risk management and internal control framework, and the overall
entity, divisions, subsidiaries, operating units, and functions. Establishing a professional
internal audit activity should be a governance requirement for all organizations cause it ensures
the effectiveness of its governance and risk management processes.

The Role of External Auditors, Regulators, and Other External Bodies

External auditors, regulators, and other external bodies-the external parties have an important
role in the organization’s overall governance and control structure. For example in the highly
regulated financial industry, regulators sometimes set requirements intended to strengthen the
 controls in an organization and on other occasions perform an independent and objective
function to assess the whole or some part of the first, second, or third line of defense with regard
to those requirements. When coordinated effectively, the external parties of the organization
can be considered as additional lines of defense, providing assurance to the organization’s
shareholders, including the governing body and senior management. However, the risk
information gathered is generally less extensive than the scope addressed by an organization’s
internal three lines of defense.

Coordinationg the Three Lines of Defense

All three lines should exist in some form at every organization, regardless of size or complexity
because risk management normally is strongest when there are three separate and clearly
identified lines of defense. Regardless of how the Three Lines of Defense model is
implemented, senior management and governing bodies should clearly communicate the
expectation that information be shared and activities coordinated among each of the groups
responsible for managing the organization’s risks and controls.

2. Board Gender Diversity and Internal Control Weaknesses, Advances in Accounting

PCAOB (2007) in its paper Auditing standard no. 5: An audit of internal control over financial
reporting that is integrated with an audit of financial statements generally conclude that that
smaller and younger firms, more financially distressed firms, and more complex firms are more
likely to receive material weakness. In addition, certain aspects of a firm's corporate
governance, including institutional ownership, auditor choice, and audit committee
independence,are associated with the likelihood of receiving material weakness opinions.
(Ashbaugh-Skaife et al., 2007; Krishnan, 2005; Zhang, Zhou,& Zhou, 2007).

However, those literatures absent the consideration of diversity of the firm's board of
directors. This is somewhat surprising because the board of directors can be thought of as the
apex of an organization's monitoring and control system (Fama & Jensen, 1983). The paper
itself focus on one observable board member characteristic—the gender of the board members,
because the gender diversity literature has found considerable differences in behavioral
characteristics between males and females. For example:

 Males prefer competition much more than their female counterparts, even after
controlling for ability (Niederle & Vesterlund, 2007).
 Males are overconfident in their investment decisions  men trade 45% more than
women and earn lower returns as a result (Barber & Odean, 2001).
  Females have also been shown to be more risk averse (Beckmann & Menkhoff, 2008;
Bellucci, Borisov, & Zazzaro, 2010).
 Present evidence consistent with female board members being better monitors (Adams
and Ferreira, 2009).
 Female board members are more likely to serve on monitoring committees (Author of
this paper).
 CEO turnover is more sensitive to stock performance at firms with more female board
members (Author of this paper).
 Finally, there is considerable evidence that gender-diverse boards are more likely to
discuss tough and sensitive issues than all-male boards (Clarke, 2005; Huse & Solberg,
2006; McInerney-Lacombe, Bilimoria, & Salipante, 2008; Stephenson, 2004).

This paper then forming hypothesis as follows:

H0 : There is no negative relationship between the presence of females on the board of directors
and the likelihood of an internal control weakness.

HA : There is a negative relationship between the presence of females on the board of directors
and the likelihood of an internal control weakness.

The empirical result of the test is as follows:

 Critical mass (30% proportion of the board) significantly enhances firm innovation.
However, our results do not support the critical mass theory and show that having even
one female director is associated with a reduced likelihood of internal control
weaknesses.  A firm with a female director (FEM_DUM=1) is ±9.7% (after being
translated) less likely to report an internal control weakness compared with a firmwith
no female directors.
 Females on corporate boards deter material weaknesses, regardless of whether or not
they serve on the audit committee.
 Endogeneity1 (firm characteristic that simultaneously leads to a higher proportion of
female board members and a lower likelihood of internal control weaknesses) is not an
issue in this study.

1
Endogeneity is when an explanatory variable is correlated with the error term
  Reverse causalities (firms with fewer ICFR (the effectiveness of internal control over
financial reporting) deficiencies retaining more female directors, and not vice versa) is
also not an issue in the study

In conclusion, the paper concluded to reject the H0.

3. Financial Reporting Council : Boards and Risk: A Summary of Discussions with

Companies, Investors, and Advisers

Summary of the Main Findings:

The Role of the Board, Committees and Management:

1. The Board’s overall responsibilities included determining the company’s approach to risk,
setting its culture, risk identification, oversight of risk management, and crisis management.

2. However, better risk decision-taking should not automatically mean less risk-taking, which
was essential to entrepreneurial activity.

3. Different board committee structures may be appropriate to different industries and

companies. The decision should be left to individual boards, rather than impose a “risk
committee” on all companies.

4. While views differed on the exact dividing line between the Audit Committee and the Board,
and between the Audit and Risk Committees, the essential requirement was clarity.
Responsibility for reviewing internal controls and the process of risk management might be
delegated to board committees, but this did not detract from the Board’s strategic responsibility
for risk decision-taking.

The Company’s Approach to Risk:

5. The Board needed to agree its appetite or tolerance for key individual risks; to understand
the company’s exposure to risk and how this might change, as a result of changes to strategy
and the operating environment; and to take a view on these changes.

6. Boards needed to focus especially on those risks capable of undermining the strategy or long-
term viability of the company or damaging its reputation.

The Changing Nature of Risk:

7. Reputational risk had grown in importance and required greater attention. The increased
“velocity of risk”, with near-instantaneous global transmission of failure, required robust crisis
management plans, including clear prior agreement on the respective roles of the Chairman and
Chief Executive in a crisis.

The Quality and Use of Information:

8. Boards are striving to develop new approaches for risk discussions and decisions, and to
ensure that “risk maps” are actively managed and reviewed and focus on areas of change.

9. A focus only on “net risk” could be dangerous. It was essential that boards had a view on
the company’s potential exposure to risk. Boards needed a view of the combination of risks
before the application of mitigation policies (“gross risk”), in order to consider their
effectiveness.

10. One of the greatest challenges faced by companies was judging how much information was
required by the Board to perform its role, including determining when a particular risk should
be brought to the Board’s attention. The Chairman played a key role here, but senior executives
carried responsibility to see that risks were properly reported to the Board.

Sources of Assurance:

11. Transparency and clear lines of accountability through the organisation were essential for
effective risk management.

12. Within the company, risk management and internal audit functions continued to play a vital
role. Their reporting lines to board committees must be clear.

13. The issue of whether external assurance or advice was needed and, if so, who was best
qualified to provide it, depended on the nature of the risk and the company’s own internal
capacity and expertise. For example, where the Board had established a separate Risk
Committee, it was generally felt that it was beneficial for any advice that was needed to be
sought from a source other than the company’s external auditors.

Risk and Control Culture:

14. Good corporate culture was widely seen as essential to good risk management, and in this
respect the Board needed to set the tone at the top. Boards were becoming more proactive in
seeking to assure themselves about the risk and control culture in the company.
15. Investors sought more meaningful reporting on risk, for example through an integrated
discussion of the company’s business model, strategy, key risks and mitigation.

Public Reporting:

16. While commercial sensitivities were acknowledged as an inhibition on open reporting, it

was helpful if companies could indicate to shareholders when and to what extent they believed
their exposure to risk was changing.

The Turnbull Guidance:

17. The Turnbull Guidance was generally considered still to be an effective framework for the
review of risk management and internal control systems. However, the majority of participants
believed that it needed to be updated to address the Board’s responsibilities as defined under
the revised UK Corporate Governance Code.
 Satyam Fiasco

1. Describe India’s environment that investors should consider when investing in

companies like Satyam.
India is known as a country with a deep-rooted influence of Hinduism where various social
strata are dominant. This cultural condition affects Indians in social as well as in business.
Investors should consider significant culture things that could affect the company. For
example, an investor needs to consider whether an independent committee is truly
independent in accordance with applicable regulations and whether the board members are
free from the attitude that they work for those who brought them on to the board. These are
necessary to minimize conflicts over forms of Indian ownership in the form of pyramids or
sole ownership by the family. In addition, India is also known as a country with a high level
of corruption. Investors therefore need to ensure the good corporate governance practice to
minimize the negative effects of the India’s environment.
2. Discuss the areas of the company culture and structure that could have raised some
red
flags about Satyam’s situation
There are several India’s cultures that could cause red flags to Satyam. High power distance
between seniors and juniors lead to an adagium that for junior employees to say “no” could
be perceived as being impolite and offensive to those in authority. Besides that, discussions
and decisions were initiated by the senior most executives. This situation could create an
information gap between the seniors and joinors. Thus, the juniors do not know what
actually happened in Satyam. They only work to follow the boss and not argue, acting as
“Yes Man”. Those things could create the opportunity to conduct fraud in Satyam by the
board of directors.
In addition, the ownership pyramid structure by Raju’s family also increase the possibility
of red flags. The existent of three family related executive directors in the board members
also sets the possibility of red flags become high. Besides that, passive role by the non-
executive directors also send Satyam into worsen situation as they failed to fulfill their
fiduciary obligation. The existence of conspiracy between the management, employee, and
external auditors also contribute to the higher level of red flags to Satyam.
3. What are the challenges of effective implementation of a whistleblower policy in a
company such as Satyam? How should directors react to whistleblower complaints?
The main challenges of the whistleblower regulations for companies like Satyam are Indian
culture that has deep-rooted in the companies. The Indian culture is concerned with
seniority, so if a senior makes a mistake and the employee reports an error, then the
employee will be considered rude and impolite. In addition Satyam culture itself that has
seen to benefits Raju and his family interests above the interests of other stakeholders. This
also have an implication on how directors see complaints from whistleblowers system if
the complaints conflicting the Raju's interests. The whistleblower complaint’s receiver,
Krishna Palepu, also acts as Satyam’s business consultant. Thus, although Krishna Palepu
has the capability to know the ideal practice of how to deal with whistleblowers, he does
not follow up the compalints with any further appropriate action because he has any
affiliation with Raju. According to ICAEW (2004), the ideal directors will use a
whistleblower report to review the company's internal controls. In addition, the directors
will document the evidence of the report and follow up the report confidentially. The
directors will also provide feedback to the complainant in a timely manner. All these
procedures are ideally known to all managers and employees of the company.
4. Analyse the independence of the board and the ability of the board to exercise
independent judgment on the corporate affairs of Satyam. Given the credentials of
the non-executive directors, why would they still have missed the fraud perpetrated
in the company over a number of years?
The Company's boards consist of 6 (six) non-executive directors which 5 (five) were
considered as independent commissioners. From this point of view, we could see that the
majority of non-executive directors were considered as independent. However, one of the
independent commissioners has been a commissioner since 1991, one other indepneden
commissioner has been given a high compensation through the educational institution, and
they get high compensation from Satyam. Non independent commisioners, Krishna Palepu
also earns substantial revenue from Satyam for his role as a Satyam’s business consultant.
Thus, it could be concluded that the actual composition of the independent commissioner
only two members..
The voice of non-executive directors is not heard by Raju. We could see this when Raju
forced the merger with a company owned by his son. Thus, it is possible that this low power
of decision making could triggers the board's unwillingness to provide the best possible
 performance. So, we could conclude that the lack of independence of the board of
commissioners, and the low power of decision making by the board of commissioners make
them negligence to see the fraud that has occurred for many years.
5. A number of directors resigned from the company after the aborted Maytas merger
and before the fraud became public. Should they have resigned and could they have
done more to protect shareholders’ interests?
The board of commissioners has a fiduciary duty to acting for only on behalf of
shareholders. If they resign because the executive acts unscrupulously, then they just
neglect his duty. By abandoning their positions, they instead give the executive a discretion
to perform his unscrupulously actions. Ideally, they should not resign but keep on standing
position to protect the company. If they think that they had failed to fulfill their fiduciary
duty, they should resign before the annoucement, not after the event. If they had did that,
they will have given a signal to the shareholders that something is not right with the
company.
6. Who is responsible for the loss in shareholder value?
Some parties become the responsible party for the loss of shareholder value. Ramalinga
Raju is responsible for the loss of shareholder value because he had manipulated the some
Satyam’s accounts in the Financial Statements since 2001 which caused the stock value to
be over valued at that time. Raju also requested approval to merge with Maytas without
asking any consultation before from the BOC. The BOC is also responsible for the loss
because they failed to fulfill their fiduciary duty by approving Raju's merger request.
Howerver, the investors did not approved the request because they considered this action
only intented to benefits Raju's family. This caused Satyam to lose public trust, thus the
share value plumped nearly 87% only in one day after the annoucement. In addition, PwC
as an external auditor also become the responsible party as it had certified Satyam’s
accounts as being true and fair.
7. Are the regulatory reforms undertaken after the scandal likely to have a positive effect
on corporate governance in India? How can the role of independent directors be
enhanced without making it too onerous to be an independent director?
The policy change after the scandal had a negative effect on corporate governance in India
as the number of independent commissioners decreased and greatly affected the future of
corporate governance in India. The decrease number of independent commisioners due to
reassesment of the risk by independent commisioners because they did not want lifetime of
reputation built could be tarnished by the actions of a single unscrupulous promoter like
 Ramalinga Raju. But, I believe in the future, this changing policy will have a positive
impact for good corporate governance practice in India as they had learned a lot from
Satyam case, the greates scandal by Indian company.
The role of an independent commissioner can be enhanced by possessing the capability by
understanding the business environment, accounting / financial knowledge, laws of the
capital market, not having affiliation with shareholders in order to avoid a conflict of
interest because the role of an independent commissioner is to overcome the conflict. In
addition, the design and quality of supervision must be maintained continuously.
8. Should the non-executive and independent directors be held accountable for the fraud
perpetrated in Satyam?
The non-executive and independent directors play a pivotal role in the fraud committed in
Satyam. Krishna Palepu, as one of the non-executive and the other commissioners, has been
informed of the fraud act through a whistleblowing letter from one of their employees
informing that the company's account has been manipulated. But no further action was
taken to respond it. They should have taken the appropriate action regarding the issues from
whistleblowing system because they have fiduciary duty to protect the shareholder’s value.
They should have followed up the report and took corrective action, but they did not.