As we enter our third year of ERM, we have a number of initiatives under way to enhance the ERM program and better integrate it with other internal control efforts. First, we have worked with our internal audit leadership to ensure that the top company risks are being considered in their annual internal audit risk assessment, which drives the internal audit plan. These top risks will be one of many factors used to assess which processes, areas, and functions in the company should be considered for an internal audit.
We continue to look for ways to identify and assess emerging and blind spot risks and opportunities earlier and more comprehensively. In that regard, we intend to engage the corporate Intelligence Network – a cross-functional and informal group of people whose jobs require looking for societal, market, technology, and competitive trends relevant to GM around the world to supplement the knowledge and sources of the risk officer network and ERM team.
There is always room for improvement in the plans to mitigate risks and seize opportunities. Both the risk officer network and the ERM staff can be valuable resources to an individual risk officer or functional leader trying to analyze a risk, develop a plan, and check it for robustness. We intend to utilize these capabilities more fully and systematically, particularly for complex cross-functional and cross-regional issues.
While our initial ERM focus has been to identify and manage top risks, we also realize that this is only one part of a successful ERM program. With reasonable attention to the top risks now in place, we are ready to address oversight of the day-to-day operational controls. In this regard, we are in the process of developing an enhanced program for operational control self-assessment (CSA), which is often cited as a fundamental and critical component of any successful ERM program. This program will begin with a joint risk assessment conducted across the organization in conjunction with internal audit.
GM implemented various versions of CSA over the years, but these processes waned over time and no longer fully support the business as intended, largely due to resources being redirected to support Sarbanes-Oxley resource requirements. There are many ways to achieve control self-assessment, and we recognize that typical programs are often criticized as not adding value because they lack substance or are simply check-the-box exercises. On the other hand, Sarbanes-Oxley at its core is intended to be a management self-assessment of controls over financial reporting despite having evolved into requiring very in-depth, time-consuming assessments.
There is a need to avoid either creating a burden on the organization to the point where the cost outweighs the benefits (which is how many businesses have viewed Sarbanes-Oxley) or creating a program that is low-cost but lacks any substantive value. Our goal in creating an improved CSA program is to strike a balance so that we are maximizing value to the organization and our shareholders by enhancing operational control assurance while spending resources wisely.
Exhibit 34.7 CSA Root Cause
The approach we have developed is a policy-based CSA that will start with asking business unit operations' line managers simple yes or no questions with regard to their compliance on specific policy requirements. However, we are taking this process a few steps further by requiring the managers to attach supporting evidence for their responses. To ensure that the supporting evidence is valid and sufficient, an ERM CSA representative will consult with the manager on control design and perform a quality assurance validation of the submission. The representative will also respond to any questions and assist in action plan development as needed. The ERM CSA representative will also review any action plans to correct self-identified deficiencies to make sure that the action plan addresses the root cause of the issue (see Exhibit 34.7).
We prefer this approach because it strengthens accountability at the operational level having frontline responsibility for internal controls. As a policy-based program, it drives behaviors that strengthen the company as a whole:
• Policy and process owners realize that they can leverage policies as a means to ensure results. If key risks are addressed in the policy, they will be assessed through CSA, and deficiencies will be uncovered and resolved by operating management.
• All business teams obtain a clear and consistent understanding of major activities and objectives of global or regional processes.
• CSA elevates the importance of up-to-date, accurate policies that address key risks.
Given that CSA is a global program, we expect that implementation will continue well into 2014.
-  Control self-assessment is a technique thathas managers review and certify the existence and quality of the controls around policies, procedures, and practices.