On March 2, the State-owned Assets Supervision and Administration Commission (SASAC) held a work conference on deepening the construction of the rule of law and strengthening compliance management of ** enterprises, requiring them to accelerate the deepening and practical implementation of compliance management of ** enterprises. It is proposed to "take the chief compliance officer system as the core to ensure the effective performance of duties;Improve the operation mechanism and promote the implementation of results;We should do a good job in key areas and intensify managementStrengthen case management and realize the use of cases to promote management;improve management efficiency through informatization construction" and other five work priorities to promote the in-depth and practical implementation of compliance management.
Based on the policy documents and the practical experience of enterprises, this paper summarizes the principles and methods of the integration of the "trinity" management system of risk, compliance and internal control, and provides experience and reference for enterprises. This article will focus on policy guidelines, practice summaries, practice paths, and value outcomes. The second part will focus on the organic integration of risk, compliance and internal control "trinity" system and practice methods.
1. Policy guidance
In order to promote the sustainable and healthy development of state-owned enterprises, prevent and control corporate risks, and accelerate the construction of the compliance system, the State-owned Assets Supervision and Administration Commission, the Ministry of Finance, the China Securities Regulatory Commission and other regulatory authorities have successively issued a series of important policies and guidelines on corporate risk, compliance and internal control management.
The following table summarizes the key policy documents and key points in each field in recent years:
Risk management area
Compliance management
Internal control area
*:* SASAC, Ministry of Finance, China Securities Regulatory Commission and other regulatory agencies**.
2. Summary of practice
(1) The three systems have a common goal and a high degree of homogeneity
Through the study of the relevant policies and normative documents of the three systems, PwC found that there are commonalities in the control objectives and operating mechanisms of enterprise risk management, compliance management and internal control, and the common service objects of the three types of management systems are the company's basic business behaviors, or business processes. The operating mechanism of the three systems is also includedRisk identification, risk assessment, risk response, risk monitoring, risk inspection, and continuous optimizationand other specific links. Risk, compliance and internal control management work together to serve the business process of the enterprise, and risk management and compliance management are based on internal control as the main means to meet the compliance objectives and risk prevention and control objectives of the operation, which theoretically have the premise of integrated operation.
(2) The current situation of the parallel system of the three systems and the problems that arise
When enterprises run risk management, compliance management, and internal control systems in parallel, there are problems such as separate actions, duplicate investment, and overlapping functions. Therefore, it is urgent to integrate and improve these three functions, and give full play to the advantages of each system through mechanism integration and information sharing, so as to realize the work value of 1+1+1>3.
(3) The three systems adapt to the needs of the reform, transformation and upgrading of state-owned enterprises
Combined with the requirements of state-owned assets regulatory policies, it is the development trend of the construction of state-owned enterprise management systems to continuously promote the integration and upgrading of internal control, risk and compliance. The construction of the "three-in-one" management system will become an important guarantee for the reform, transformation and upgrading, quality and efficiency improvement of state-owned enterprises under the new situation, and it is also an important attempt of enterprise risk management. From the perspective of integrating and prompting risk management resources, the risk management mechanism and measures are reflected through internal control means, so as to build a benign closed-loop enterprise operation and development management chain, which will help promote the reform, transformation and upgrading of enterprises and escort the high-quality development of enterprises.
3. Practice the path
To build an integrated management system for risk, compliance and internal control, both methods and practices are indispensable. Enterprises need to steadily promote relevant work to provide guidance on how to operate, how to guarantee, and how to optimize and improve integrated management.
Enterprises need to solve the practical problems of who is in charge, what to manage, how to manage and how to guarantee the "trinity" management system by clarifying responsibilities, compacting responsibilities, drawing red lines, clarifying control methods, establishing key mechanisms, and improving operation rules, and establish a feasible set of methods in line with the actual situation of the enterprise. On the basis of the top-level structure of the system construction, various specific tools are built to assist the actual operation of the "trinity" management system, and the key points of risk, compliance and internal control are integrated to form a practical tool with comprehensive coverage and precise prevention and control, so as to realize the integrated operation of the three systems.
Fourth, value effectiveness
By building an integrated management system with risk management as the core, compliance management as the bottom line, and internal control as the starting point, the three systems are effectively integrated, the overall management level of the enterprise is improved, the control cost is reduced, and the management and control efficiency of the enterprise is maximized.
Through the operation of the "three-in-one" management system, the external rigid compliance requirements and various risks faced by the enterprise are organically integrated into various business scenarios and appropriate control measures within the enterprise, and on the basis of ensuring compliance implementation and risk prevention and control, the needs of enterprise operation and development are taken into account, and the quality and efficiency of enterprise business development are improved through collaborative and efficient internal control. The "three-in-one" management system will help enterprises achieve the management and control goals of "strengthening internal control, preventing risks, and promoting compliance", improve the level of enterprise operation and management, and escort the development of enterprises.