Improving the management structure of DSM’s Business

(1)

Improving the management structure of DSM’s Business

Process Control Designs

Unlimited innovation, limited risks

Author: Ina Warnaer

(2)

[This page intentionally left blank]

(3)

Improving the management structure of DSM’s Business

Process Control Designs

Research conducted for

‘Royal DSM’

Corporate Finance & Economics Corporate Internal Control Heerlen, The Netherlands

Thesis to obtain a Master’s degree in Business Administration at the University of Groningen, The Netherlands

July 2005

Author: Ina Warnaer Advisors: Prof. Dr. D.M. Swagerman (1^st, RUG)

1166301 S. Sibum (2^nd, RUG)

R. van Beekum (DSM) M. Treur (DSM)

(4)

(5)

Preface

This thesis is the outcome of research conducted during an internship between the 4th of October 2004 and 30th of June 2005 at the headquarters of DSM in Heerlen, the Netherlands.

In order to obtain a Master’s degree in Business Administration, the author had to conduct an independent research project of half a year in an existing organization and write a report on this research. That report is the thesis that is lying before you.

The choice for an internship at DSM was not a hard one to make. DSM as one of the leading industrial companies, operating worldwide, but its heritage in the Netherlands, has always impressed me a lot.

Furthermore DSM’s innovative character and its turning into a multi-specialty company made me aware of the attractiveness of conducting an internship at DSM.

Although actually looking for a more controlling oriented research project, DSM offered me a research project at Corporate Internal Control. Because of the interesting topic the author decided to accept the research project.

A part of any preface is thanking the people that have been helpful with this project.

First of all, I would like to thank all my colleagues at DSM. Not only have they been very co-operative with my research project, they were also friendly and open to a newcomer and quickly made me feel at ease. Special thanks goes to Rene van Beekum, Manager Corporate Internal Control, and Marianne Treur, Apollo/ Hermes Internal Control team lead, for giving me advice and helping me out during my research project.

Furthermore I want to thank CSI, and in particular Werner van Haelst and Christophe Vandekerkhove, for their assistance during the pilot of CSI Controls Organizer®.

Another word of thanks goes to Dirk Swagerman for giving me advise, not only concerning my research project, but also about my future career. Our inspiring conversations really made me aware of, and maybe also a little bit confused about, my possibilities in the future. Furthermore I want to thank Mr. Sibum for being my second critic.

Finalizing this preface the biggest thanks goes out to my parents and brother, who have supported me through life and have always believed in me.

Ina Warnaer

(6)

(7)

Contents

Executive summary 1

Chapter one

1 Methodologies 4

1.1 DSM 4

1.2 Department Corporate Internal Control 6

1.3 Cause research project 8

1.4 Research plan 9

1.5 Theoretical framework 14

1.6 Chapter summary 18

Chapter two

2 DSM’s Risk Management System 19

2.1 DSM’s Risk Management System 20

2.2 Business Process Control Designs 28

2.3 Corporate Governance 33

Chapter three

3 Diagnosis 39

3.1 Apollo/ Hermes Internal Control Maintenance 40

3.2 Problem 43

Chapter four

4 Design 48

4.1 Product specification 48

4.2 Design 49

4.3 Information requirements 52

Chapter five

5 Change/ Realization 62

5.1 Change process 62

5.2 CSI CO Balanced Score Card 64

5.3 Recommendations 69

Chapter six

6 Reflection 71

6.1 Results research process 71

6.2 Reflection literature 73

6.3 Reflection researcher 78

List of References 81

Appendix 83

A Glossary 84

B Organizational structure CFE 85

(8)

(9)

Executive Summary

This thesis is the result of a research project that the author conducted during an internship at the headquarters of DSM between 4^th of October 2004 till the 30^th of June 2005 in order to obtain a Master’s degree in business administration at the University of Groningen. It has to show that one can correctly apply the knowledge obtained and also be of relevance for the organization in which the research was conducted.

Chapter one describes in general terms and shortly DSM, and more specifically the department for which this research is conducted, Corporate Internal Control, and also the methodological core of this thesis. DSM’s Apollo/ Hermes program, the standardization of business processes within an ERP- environment, influences one of the activities of CIC, namely Apollo/ Hermes Internal Control that is responsible for the maintenance of the Internal Control deliverables. IC deliverables are continuously in development because of changes in business processes and requests from Business Groups to add or change functionalities to the DSM standard, which have been devised during Apollo/ Hermes program. CIC’s request regarding one of the IC deliverables, namely Business Process Control Designs (BPCDs) is to improve the management of the BPCDs, which also leads to easier maintenance and communication of the information in the BPCDs. This resulted in the following research goal:

Improving the management of BPCDs for Corporate Internal Control in the course of which the alignment of BPCDs with DSM’s Risk Management System will be reviewed.

The research goal has been divided in two research questions. The first one is as follows: Do Business Process Control Designs fit in DSM’s Risk Management System? This question deals with DSM’s Risk Management System, Corporate Governance and functions as theoretical framework for solving the second research question. The second question has been set up for solving DSM’s problem and has been formulated as follows: How can CIC adequately and effectively manage its BPCDs, aligned with DSM’s Risk Management System, primarily focusing on maintenance, but also having in scope the output aspect communication to parties involved?

The character of this research question asked for a practical solution that has been setup around the design methodology of De Leeuw.

Chapter two focuses on the solving the first research question by using an internal and external approach, DSM’s Risk Management System and corporate governance for answering this question.

DSM’s Risk Management System has been described around the COSO’s framework of Enterprise Risk Management. BPCDs are discussed more in detail. The importance of controls in and around an ERP system have been put forward and connected to internal control objectives.

Recently corporate governance regulations like Sarbanes-Oxley and Code Tabaksblat have come into the limelight, and focuses on how organizations should control their organizations. Due to the

(10)

importance of Information Technology such as an ERP system in achieving organization’s objectives, IT governance has increasingly become more important.

Chapter three, Diagnosis, encompasses a detailed problem analysis in order to find out how to solve the problem CIC experiences regarding the management of BPCDs. The problem has been

approached from an information point of view and two problem areas regarding BPCDs emerged;

firstly relevance and reliability of information, secondly accessibility of information. Relevance and reliability refer to the need for an uniform framework, and the need for procedures in order to safeguard the information in the BPCDs. Accessibility of information deals with DSM’s need to manage the BPCD in another tool than the currently used Excel sheets.

Chapter four, Design, concentrates on setting up/ designing the functional requirements in order to improve the management structure of the BPCDs. Information requirements as laid down in framework of CobiT, Control objectives for Information Technology, function as guide in transcribing functional requirements, because in realizing company objectives information needs to comply with seven quality criteria: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. The information criteria have been transcribed conform wishes CIC and requirements Sarbanes-Oxley and Code Tabaksblat.

Functional requirements focus on functionalities that need to be present in the tool and procedures in order to make Apollo IC maintenance process compliant with information requirements.

Chapter five, Change/ Realization, evaluates in what way the design, the redesigned management structure of the BPCDs, has already been realized. CIC acquired CSI CO in order to manage its BPCDs.

In order to align CSI CO conform the functional requirements DSM has participated in a pilot along with CSI in which the new release of CSI CO has been tested. However due to time and technical problems with adjusting the tool to DSM’s wishes, not all functional requirements are incorporated (yet) in the tool or were not tested during the pilot phase.

Apollo IC Maintenance procedures have been set up, although these procedures need to be validated in Apollo/ Hermes Internal Control Platform.

Chapter six, Reflection, evaluates the research project in three different manners.

First of all, the results/ conclusions of the research project have been emphasized, in which the researcher looked upon the research process in order to evaluate to what extent the research questions are solved. Having observed that the Apollo/ Hermes standard in the BPCDs are the basis, the SOLL-position, regarding controls that should be implemented and monitored in the business processes, the importance of effective and adequate management of BPCDs was undoubtedly relevant. The redesigned management structure of the BPCDs contains a tool, CSI CO, in which most functional requirements are incorporated, and Apollo/ Hermes IC Maintenance procedures in order to guarantee the quality of information in the BPCDs.

(11)

Secondly, the researcher has given a reflection on the used literature, and the importance of the research project in theoretical settings. The researcher indicated that the internal control concept evolved during the years in its meanings and wonders if ERM will replace/ is a replacement of management control. The importance of the research project has been placed in the cyclus of design, operation, monitoring, reporting and as final piece the In control statement.

Finally, a reflection is given on the scientific requirements that every research project should comply with.

(12)

1 Methodologies

This first chapter contains information about DSM and Corporate Internal Control, the department in which the author participated for nine months and the methodology of this research project. It gives framework of reference giving the reader more comprehensive understanding of several aspects dealt with in this thesis. After describing DSM and the CIC department, paragraph 1.4 will start with the research plan, containing the research goal and research questions. Further a preliminary conceptual model will explain the research project. Finally, the scope and conditions of this research, and a theoretical framework will be discussed.

1.1 DSM¹ Introduction

DSM is active worldwide in life science and nutritional products, performance materials and industrial chemicals. DSM has annual sales of 8 billion and employs about 24000 people at more than 250 sites worldwide.

DSM’s aim is to rapidly transform into a multi-specialty group and pursues a global leadership position in activities offering a relatively high added value, strong growth and stable profits.

As far as the composition of DSM’s portfolio is concerned, DSM has succeeded in transforming its portfolio from chemical commodities into that of a multi-specialty company, with a strong focus on biotechnological and chemical products for the life science industry and also on performance materials. An important step forward in achieving the above strategy was made by the take-over of Roche’s Vitamins & Fine Chemicals division (now DSM Nutritional Products). Resultantly, specialties account for almost 80% of annual sales.

Besides the integration of DSM Nutritional Products, the main priorities will lie in three areas: firstly, DSM aims to achieve a lasting improvement in the group’s profitability. Secondly, DSM will be paying extra attention to compliance and compliance monitoring. Finally, Another spearhead is further profitable growth, with a special focus on China; the world’s most rapidly growing market.

The Life Science Products cluster comprises DSM Fine chemicals, DSM Pharmaceutical Products, DSM Anti-Infectives, DSM Food specialties and DSM Bakery Ingredients. The activities of this cluster are mainly targeted at the pharmaceutical, food and agrochemical industries.

The Performance materials cluster comprises DSM Elastomers, DSM Engineering Plastics, DSM Coating Resins, DSM Composite Resins, and Dyneema

The Industrial Chemicals clusters comprise DSM Fibre Intermediates, DSM Melamine, DSM Agro, and DSM Energy.

1 All data in this paragraph are from the 2003/ 2004 DSM Annual report, (http:www.dsm.com)

(13)

Organization

DSM has a decentralized organizational structure built round business groups that are empowered to carry out all business functions. This structure ensures a flexible, efficient, and fast response to market changes. DSM Nutritional Products will be a separate entity for the time being. At corporate level, DSM has a number of staff departments such as Corporate Finance & Economics to support the Managing Board of Directors and the business groups.

Corporate governance

DSM handles with explicitly formulated corporate values and directives regarding risk management, financial policy and management of the organization at corporate level as well as at business group level.

Figure 1: DSM’s Governance framework

Royal DSM is a public limited company with a Managing Board of Directors and an independent Supervisory Board. The Managing Board is responsible for the strategy, portfolio policy, resources, and results emanating out of that.

The Supervisory Board monitors management and policy of the Managing Board and daily course of business and scales all stakeholders’ interests.

The annual report including financial statements is approved and determined by the Shareholdings’

Meeting. Members of the Managing Board and Supervisory Board are appointed by the Shareholding’

Meeting.

DSM provides all stakeholders transparently information about objectives, management and performance of the company and strives for an open dialogue with its shareholders and other stakeholders.

As shown in DSM’s Governance framework the Managing Board is accountable for adequate Shareholders’ Meeting

Audit Committee Articles of Association

DSM’s Enterprise Risk Management System

DSM’s Operations and Business Processes Shareholders

Supervisory Board

Managing Board

Unit Management Other

stakeholders

(14)

internal risk management and control systems constantly deserve special attention. In fact the Managing Board considers these systems as critical pillars of the internal managing process of DSM.

1.2 Department Corporate Internal Control

Corporate Internal Control is part of the Corporate Finance and Economics department and is responsible for defining, on behalf of the Managing Board, the corporate policy on and requirements for internal control.²

CIC also develops best practices for internal control and supporting tools, in close cooperation with the business groups, and more particularly with the Internal Control Coordinators.

Three streams can be distinguished within the department of CIC: 1)Risk Management and Internal Control, 2) Apollo/ Hermes internal control and 3)BWise³ functional application management.

However the research project has been undertaken within the scope of Apollo/ Hermes internal control.

Figure 2: Organizational structure Corporate Internal Control

DSM’s definition of internal control can be formulated as follows⁴:

Internal control is a process that is designed to provide reasonable assurance that the following objectives have been achieved:

2 See appendix A for Organizational Structure Corporate Finance & Economics

3 Bwise is a company specialized in corporate governance software. It focuses on processes, operational risks and control measures. See <http://www.bwise.com>

4 DSM’s definition of internal control is derived from COSO- Internal Control- integrated framework,1992 Corporate Internal

Control- R. van Beekum

Risk Management &

Internal control

Apollo/ Hermes Internal Control-

M. Treur

BWise functional application management

Research project

(15)

• Managing the risks inherent to the business and the business processes

As a good housekeeper, one should be prepared to deal with the risks one encounters in one’s operating environment and in the business processes one performs. That means being prepared to take a certain amount of controllable risk.

• Safeguarding of assets (both tangible and intangible)

Both tangible assets such as buildings and equipments and intangible assets such as knowledge and confidential information should be protected against loss, theft and fraud.

• Ensuring the quality (including reliability) of internal and external reporting

A proper internal control system gives assurance that the reports one publishes are both reliable and timely.

• Compliance with laws and regulations, corporate policies, and requirements

DSM wishes its business operations to be in full compliant with local laws and regulations. In addition, DSM units around the world should be managed in accordance with the group’s corporate

requirements and policies.

At the moment two corporate projects, Apollo/ Hermes and True Blue, influence the dynamics within the department of CIC.

The Apollo program comprises the development of best practice business processes, the mapping of these standard business processes into SAP, and the implementation in the various business groups.

In other words the program institutes a uniform application of structured and standardized business processes in SAP-R3 within DSM. At the moment six Business Groups comply with the Apollo program and in the near future all Business Groups. Furthermore the Apollo program should not be seen as a project but should be seen as a continuous program that is embedded within the

organization, but is always under influence of changes.

The Hermes program has been set up to standardize E-business processes and encompasses all functionalities or tools, which are not covered by SAP. Recently both programs are combined in one program: Apollo/ Hermes.

True Blue is the roll out of the Corporate Requirements in the Business Groups, resulting in a new way of organizational thinking in which business processes are the starting points. All internal control deliverables have been aligned with the Corporate Requirement as extensively as possible, and will be used in the roll out of the Corporate Requirements.

Thus True Blue is focused on the reduction of non-compliance of internal and external regulations and on further strengthening of control measures. Actually True Blue checks more or less in what way Business Groups have implemented the Apollo/ Hermes standard in its organization.

(16)

1.3 Cause Research project

As already mentioned one stream within CIC has the task and responsibility to maintain the Apollo/

Hermes Internal Control standard.

Since the introduction of the Apollo program within the organization CIC was and still is involved in the so called Apollo/ Hermes Internal Control Maintenance process regarding an effective, efficient and consistent set up, maintenance and roll out of internal control deliverables.

At the moment Apollo/ Hermes Internal Control provides maintenance and support services for the internal control deliverables developed during the Apollo/ Hermes Kernel projects:

The following internal control deliverables exist:

• Business Process Control Designs (BPCDs)

• Business Process Control Procedures (BPCPs)

• Authorization Design

However within the Apollo Internal Control Maintenance process CIC experienced problems regarding the management, maintenance and communication of BPCDs, and thus indicated that within these problem areas improvements could be made.

The reason for this problem lies in the fact that during the Apollo program CIC has developed and broadened its deliverables regarding DSM’s Risk Management System around an ERP environment.

This resulted in too much information to manage and generating specific problems with the maintenance of the BPCDs.

Unfortunately within CIC there was never the time or resources for tackling this problem. Therefore CIC came up with the request to organize all this information in such a way that proper management, maintenance and communication of BPCDs would be guaranteed.

(17)

1.4 Research plan

This paragraph deals with the research plan, which starts with discussing research goal, research question and boundary conditions of the research project.

Furthermore a conceptual model will be presented in which the research process will be made clear.

Finally the theoretical foundations of this research project will be explained.

De Leeuw says that the formulation of a problem contains the following three components⁵:

• Research goal

• Research question

• Boundary conditions

The research goal indicates for whom this research project will be performed, what the research product will be and why it is important. In other words within the research goal the relevance of the research will be emphasized.

Research goal

To fulfil above goal it is necessary to translate the research goal into a research question to make more explicit where to focus the research on. The research question formulates the main question or questions, which connect well with the research goal but are formulated in a more accessible manner and thereby also align with the theoretical framework of the research project. Actually the research question is a description of the aimed knowledge product and starting point of the elaboration of the research project.

The following research questions have been formulated within this research project:

Research questions

1 Do DSM’s Business Process Control Designs fit in DSM’s Risk Management System?

The answer will give insight into DSM’s Risk Management System and the contents of the BPCDs.

The goal of this question is to determine the context of the research, and how this context affects the kernel of this thesis, namely improving the management of the BPCDs.

2 How can Corporate Internal Control adequately and effectively manage its BPCDs, aligned with DSM’s Risk Management System, primarily focusing on maintenance, but also having in scope the output aspect communication to parties involved?

This question deals with the actual problem experienced by the CIC department.

(18)

Boundary conditions

• The time for the research project is restricted to six months.

• The description of DSM’s Risk Management System should have a direct relationship with the research topic.

• Research project should take place conform requirements of the Faculty of Management and Organization.

Conceptual model

A conceptual model in a research project provides a global view about the research process.

As shown in the conceptual model the research questions are the starting point for shaping the model.

Furthermore the conceptual model can also be seen as a process flow in which the research questions and variables lead to achieving the research goal.

The variables in the model correspond with the division of chapters in this thesis.

(19)

Figure 3: Research model

Enterprise Risk Management (COSO) Enterprise Risk Management (COSO)

Internal stream Ch. 2 External stream

Ch. 3:Diagnosis Ch. 4: Design Ch. 5: Realization

CSI CO Balanced Score Card Do DSM’s BPCDs fit in DSM’s

Risk Management approach?

How can Corporate Internal Control adequately and effectively manage its BPCDs, primarily focusing on maintenance, but also having in scope the output aspect communication to parties involved?

Management structure BPCDs

Æ Maintenance ÆCommunication

Functional requirements

redesigned management structure

BPCDs

Procedures Apollo IC Maintenance Enterprise Risk

Management (COSO)

Apollo/ Hermes IC Maintenance Process DSM’s Risk management

system

Trust & financial scandals

Corporate Governance Æ SOX, Tabaksblat

IT Governance Æ CobiT

Business Process Control Designs

(20)

Type of research and used methods

In general two types of research can be distinguished; scientific and practical research.⁶

This research project falls within the category of practical research, which is characterized by the client-oriented focus in the research process. Knowledge is used as tool for finding a solution in a specific practical problem situation. As figure 4 shows the researcher takes a look in the reality, observes a problem, seeks in the knowledge database for help, and tries with other tools to find a solution and finally implements the solution in the actual situation in which the problem was ascertained.

Figure 4: Practical research

Within practical research the regulative cycle is present⁷; all actions are focused on effective intervention. Thereby only the necessary knowledge will be taken out of the knowledge base.

Figure 5: Regulative cycle

Measure Observed problem

Within practical research a distinction can be made between policy supporting research and problem solving research. However, in this research project it is a question of problem solving research also called action research.

In problem solving research the total problem of the client is taken into consideration. The research aims for finding a solution for a complete knowledge need of the client.

6 Ibid., p. 72

7 Ibid., p. 72

Researcher Knowledge

database

Reality

Design of solution

Practical problem

(21)

Research methods

With regard to finding an answer to the first research question the main research method has been desk research. Extensive literature study, in particular COSO’s Enterprise Risk Management report and Corporate Governance regulation like Sarbanes-Oxley and Code Tabaksblat, but also internal information about DSM’s Risk Management System, oral and written, have been the sources for solving the first research question.

The second research question has been set up around the design methodology of De Leeuw, in which diagnosis, design and change/ realization are the three phases in the research process. Characteristic for designing is the aim for a concrete solution, and therefore solving the second research question needs a different and more practical approach in which taking interviews are a more useful research method than literature. However, when necessary literature was consulted.

The most important research method was the unstructured qualitative face-to-face in depth interviews with employees of CIC during the diagnosis and design phase. During the realization phase testing the tool in a pilot setting and consultation of external software consultants of the company CSI were the main sources of information.

(22)

1.5 Theoretical framework

This paragraph deals with all literature used in this thesis and why it has been used within this research project. The following theories will be described: COSO’s Framework of Internal Control and Enterprise Risk Management, Information Accounting Systems (BIV/AO) and in particular the internal control/ internal reliability system, Diagnosis-Design-Change/ Realization methodology, and Corporate Governance/ IT Governance.

• COSO- Internal control- integrated framework & Enterprise Risk Management.

These reports provide a framework for the assessment of internal control and public accountability about these assessments. Besides the widely accepted importance of these reports DSM’s Risk Management System has been based on COSO.

• Corporate Governance

The public debate and recently issued regulations like Sarbanes-Oxley and Code Tabaksblat illustrate that the research topic fits in a broader framework. Since the importance of Information Technology has been ascertained in achieving organizations objectives, IT governance has come in the limelight, which resulted among others in CobiT, Control Objectives for Information

Technology.

• Information Accounting Systems

The internal reliability system discusses the importance of controls in order to guarantee reliable information in the organization. The introduction of SAP within DSM has put forward the

importance of controls within and around the information system in order to ensure quality of information within DSM.

• Diagnosis-Design-Realization methodology of De Leeuw;

This framework is very useful within the field of problem solving research and has been used in solving the second research question.

Information Accounting Systems⁸

The definition of Information Accounting Systems, is the following:

All activities regarding the systematically collecting, recording and processing of data aimed for providing information for managing in narrow sense and the functioning and controlling of a housekeeping, and for the accountability of it.

Within the field of Information Accounting Systems internal control attaches importance to the reliability of information and measures that guarantee reliable information in a housekeeping.

Effectiveness of reliability measures is determined by organizational measures (segregation of duties) and specific control measures.

The total of internal control measures is restricted on basis of economic arguments.

8 The typical Dutch field BIV/ AO (Bestuurlijke Informatieverzorging/ Administratieve Organisatie) has been translated to Information accounting systems.

(23)

Core elements within internal control/ internal reliability system are:

• Information control

• Authorization control and compliance with internal regulations

• Safeguarding control

Conform the technical approach of control three elements are important:

• Elements that need to be tested (IST-position)

• Elements that function as measure/ standard (SOLL-position)

• The actual testing to the standard

COSO

In 1992 the Committee of Sponsoring Organizations of the Treadway Commission issued Internal Control- Integrated Framework, which established a framework for internal control and provided evaluation tools, which organizations could use to evaluate their control systems. The framework identified and described five interrelated components necessary for effective internal control.

Internal Control – Integrated Framework defined internal control as a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Operations- Effectiveness and efficiency of operations

• Reporting- Reliability of financial reporting

• Compliance- Compliance with applicable laws and regulations to which the entity is subject

However, in 2003, the Enterprise Risk Management Framework has been issued by COSO.

Enterprise Risk Management is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk.

In the Enterprise Risk Management framework, the reporting category has been expanded, to cover all reports developed by the entity disseminated both internally and externally. Furthermore, the scope expands from financial statements to cover not just financial information, but non-financial information as well.

Another category of objectives has been added, namely strategic objectives, which operate at a higher level than the other ones. These objectives flow from an entity’s mission or vision, and the operations, reporting and compliance objectives should be aligned with them.

Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

(24)

Enterprise Risk Management views entity objectives in the context of four categories:

• Strategic- relating to high-level goals, aligned with and supporting the entity’s mission

• Operations- relating to effective and efficient use of the entity’s resources

• Reporting- relating to the reliability of the entity’s reporting

• Compliance- relating to the entity’s compliance with applicable laws and regulations

Figure 6: Enterprise Risk Management- Framework COSO

COSO’s framework of Enterprise Risk Management consists of three dimensions: Components, Objectives and Entity and its organizational units. There is a direct relationship between objectives, which are what an entity strives to achieve, and the enterprise risk management components, which represent what is needed to achieve them.

In chapter 2 all components of Enterprise Risk Management will be discussed while explaining DSM’s Risk Management System.

Some entities use, besides the four categories mentioned in Enterprise Risk Management, another category namely safeguarding of resources/ assets.

Safeguarding of resources/ assets deals with prevention of loss of an entity’s assets or resources, whether through theft, waste, inefficiency or what turns out to be simply bad business decisions.

These are primarily operations objectives, although certain aspects of safeguarding can fall under the other categories. Thus safeguarding of resources can be seen as a specification of compliance, reporting and operation objectives.

(25)

Corporate Governance and trust

In our society trust is the basic principle on which all business world is founded. A company is to be trustworthy in order to find investors willing to provide cash to finance investments and ongoing operations. Or to attract customers willing to build a long-term relationship, suppliers to provide goods and services on credit and employees to perform work to be done. Companies that are “out of control”

are not regarded to be trustworthy and find it difficult to attract investors, customers, suppliers and employees.

Corporate governance is the name that is often given to the topic of ongoing public debate about the way in which companies are managed, communicate to their shareholders and are held accountable for their actions.

Therefore, stakeholders expect companies to behave as good housekeepers in trying to avoid disruptions in routine business processes and unpleasant financial surprises.

After the recent financial scandals governments around the world are tightening the laws and regulations on internal control and corporate governance.

The Sarbanes-Oxley Act has come into force in order to minimize information gaps between stakeholders and organizations and ensure reliability and transparency of financial reporting.

Code Tabaksblat is a Dutch regulation that requires companies not only to ensure financial reporting, but also achieving objectives in operational and strategic areas.

Within corporate governance special attention can be assigned to IT Governance because Information Technology takes an important place in achieving an organization’s strategy.

CobiT, Control objectives for Information Technology, is a framework in order to support management in understanding and controlling IT related risks. The framework is based on the principle that

information in an organization is necessary in achieving objectives. In realizing company objectives information needs to comply with quality requirements.

Design methodology of De Leeuw

The design methodology of De Leeuw can be divided in the following steps:

Step 1: Diagnosis

Start of the diagnosis is the diagnostic research question. The question is: What is the problem? The result of the diagnosis must be one main research question. The diagnosis consists of many-sided viewing and analyzing, assessing and describing.

Step 2: Design

Designing of solutions contains two elements: Determining the direction of solving the problem and working out the solving direction in concrete measures of design.

Step 3: Change/ Realization

The phase of change and realization is the step in which the solution is realized.

Step 4: Evaluation

Evaluation is based on two manners: testing of the realized solution with the research question and finally by evaluating in what way the problem has disappeared.

(26)

Figure 7: Design methodology of the Leeuw

Diagnosis

Diagnostic research question

Main research question

Design

Realization

1.6 Chapter summary

In this chapter we first discussed DSM’s company profile, CIC and the cause of the research project and secondly the translation of DSM’s request in methodological aspects like research plan, conceptual model and theoretical framework.

The research project started with a clear request of CIC that brought us to the following research goal:

Two research questions have been set up in order to find a solution for the problem experienced by CIC. The first question discusses the alignment of BPCDs with DSM’s Risk Management System, while the second question deals with the practical completion of DSM’s problem. The conceptual model encompasses research questions, theoretical and practical aspects of the research project but functions as research model as well by giving an overview about how these aspects are divided in the chapters of this thesis.

Many-sided view Assess

Describe

Determine direction

Design

Evaluation Realization of

change

(27)

2 DSM’s Risk Management System

This chapter gives an answer to the first research question:

Do the process risks and control models of DSM fit in DSM’s Risk Management System?

Figure 8: Overview structure chapter two

In obtaining an answer to above question DSM’s Risk Management System will be discussed on the basis of two points of views.

COSO’s Framework of Enterprise Risk Management plays a vital role in describing DSM’s Risk Management System in paragraph 2.1. While the COSO framework focuses on how to embed risk management and internal control within the organization, the corporate governance debate refers to the external reporting about an organization’s internal risk management and control system.

In other words paragraph 2.1 deals with how DSM has set up its own internal risk and control system and paragraph 2.3 explains why & what influences DSM’s Risk Management methodology. The importance of external reporting will be emphasized by legislation like the Sarbanes-Oxley Act and Code Tabaksblat that came recently into force.

Both streams affect DSM’s Risk Management System, and thus also the BPCDs, the main focus in this thesis.

Finally the question how BPCDs fit in DSM’s Risk Management System will be evaluated by taking into consideration in what way BPCDs contribute to DSM’s Risk Management System and the objectives of Enterprise Risk Management.

2.1: Internal approach to internal control:

Enterprise Risk Management

2.3: External approach to internal control:

Corporate Governance

& IT Governance

2.1: DSM’s Risk Management approach

2.2: Business Process Control Designs

(28)

2.1 DSM’s Risk Management System

Management control or the internal control system encompasses the by management of an organization aimed processes to control the business activities⁹.

Management control as the most important instrument of the internal control system, is heading for the implementation and realization of pre-defined goals.

Figure 9: Four levers of control systems

Robert Simons has determined that management control is the result of four kinds of control systems¹⁰.

Application of these control systems focuses on and aims for letting employees achieve organization’s goals.

The boundary system will be main point of focus in this thesis. The implementation of components of COSO’s Framework of Internal Control and the recently issued Framework regarding Enterprise Risk Management are possibilities of realizing a system in an organization that gives reasonable assurance that risks will be avoided in order to achieve organization’s goals.

DSM’s approach in avoiding risks or risk management has been developed around COSO’s Framework of Internal Control.¹¹ COSO’s definition of internal control is as follows:

9 Starreveld et al., 2002. p. 81

11 Committee of Sponsoring Organizations of the Treadway Commission, Internal Control- Integrated Framework, 1992

Diagnostic control systems Critical performance

variables Boundary system

Risks to be avoided

Beliefs system Core values

Interactive control systems Strategic uncertainties

Business Strategy

(29)

Internal control is a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories.

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulation DSM’s definition of internal control is the following:

Internal control at DSM is defined as the process, affected by an entity’s line management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Management of risks in business and its processes;

• Safeguarding of assets (tangible and intangible);

• Quality (including reliability) of internal and external reporting;

• Compliance with applicable laws and regulations, corporate policies / requirements / guidelines.

Figure 10: Components Internal Control and Enterprise Risk Management

Recently, a more elaborated framework made by COSO has come in the limelight, namely Enterprise Risk Management.

Information &

Communication Enterprise Risk Management- framework Internal control framework

Control environment

Risk assessment

Control activities

Information &

Communication Monitoring

Monitoring Control activities

Risk response Risk assessment Event identification

Objective setting Internal environment

(30)

Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

An important difference with COSO’s Framework of Internal Control that focuses only on operations, reporting and compliance is that Enterprise Risk Management distinguishes itself by adding also a strategic component in its framework. ERM makes risk management an integral part of its policy in achieving entity objectives.

• Strategic objectives- relating to high-level goals, aligned with and supporting the entity’s mission

• Operations objectives- these pertain to the effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding resources against loss.

• Reporting objectives- these pertain to the reliability of reporting. They include internal and external reporting and may involve financial or non-financial information.

• Compliance objectives – these pertain to the entity’s compliance with applicable laws and regulations

While not explicitly shown in DSM’s House of Internal Control, but considering the fact that most entities will implement Enterprise Risk Management within its organization, DSM’s Risk Management System will be discussed along COSO’s Framework of Enterprise Risk Management.

Figure 11: DSM’s House of Internal Control

Mission

Corporate Strategy Dialogue Business Strategy Dialogue

Business Risk Assessment Process Risk Assessment

Process Controls DSM Values Corporate Requirements Business Steering models

Standardized processes, systems and ICT infrastructure

(e.g. Apollo/ Hermes)

Monitoring tools, audit committees, Letter of Representation Objective Setting

Internal environment

Event identification Risk assessment

Risk response

Control activities

Information & Communication

Monitoring

(31)

DSM’s internal environment is the foundation for all other components of enterprise risk management, providing discipline and structure. The internal environment could be seen as the organizational culture and organizational structure.

Behavior and attitudes of line managers have significant impact on the organizational culture as they set the tone at the top. Therefore line managers should always act in accordance with the DSM Values and Corporate Requirements. Furthermore Business Steering models like DSM’s Value Based

Business Steering are part of the internal environment.

Besides organizational culture, a transparent organizational structure is also very important for the purpose of enterprise risk management. A clear organizational structure avoids misunderstandings about tasks, authorizations and accountabilities regarding business processes and underlying process activities.

DSM has introduced a new way of organizational thinking in which the business processes are the starting point. The activities performed in a business process are clustered into roles. Roles might be clustered into a position represented by a person.

In line with DSM’s emphasis on business processes and the implementation of SAP in these business processes, the objectives of specific processes like Order to Cash, Purchase to Pay, Demand Supply Chain Management are defined in process requirements. Process requirements as part of corporate requirements are mandatory instructions in which standard roles are determined according to the principle of segregation of duties. In such a way, the standard roles that are defined in the Corporate Requirement directly influence the organizational structure.

Objective setting is a precondition to event identification, risk assessment and risk response.

Firstly, there must be objectives before management can identify risks to their achievement and take necessary actions to manage the risks.

An entity’s mission sets out what the entity aspires to achieve. The Managing Board of DSM formulates the mission. Further the Managing Board executes a Corporate Strategy Dialogue every five year. The last one was performed in 2000 and was called Vision and Focus 2005; therefore in 2005 a new Corporate Strategy Dialogue will take place.

Within the top-down framework of Corporate Strategy Business Groups are free and responsible for establishing its own Business Strategy.

The Business Strategy Dialogue is a tool in achieving these objectives and should be executed every three years. Business Strategy Dialogue involves all kinds of analyses, such as strengths,

weaknesses, opportunities and threats.

Taking DSM’s Mission and Corporate Strategy as starting point, management of Business Groups sets its own strategic objectives, formulates strategy and establishes related objectives for the organization. Strategic objectives are the basis for the formulation of operations, reporting and compliance objectives.

An event is an incident or occurrence emanating from internal or external sources that could affect

(32)

risks, while events with a potentially positive impact represent opportunities. However you should consider that opportunities and risks are often interchangeable, as both are inherent to being in business and both need to be managed in a balanced way.

To avoid overlooking relevant events, event identification is best made apart from the assessment of the likelihood of the event occurring, which will be the next topic.

Risk assessment allows an entity to consider the extent to which potential events might have an impact on achievement of objectives. In other words management considers the mix of potential future events relevant to the entity and its activities. This encompasses examining factors, including entity size, complexity of operations and degree of regulation¹² over its activities- that shape the entity’s risk profile and influence the methodology it uses to assess risk.

Based on the Corporate Requirement on Unit Risk Management the Business Group/ Unit is obliged to assess its own risks and to implement and maintain internal controls to mitigate perceived risks.

In other words the risk and control assessment process at DSM is primarily based on self-assessment.

This means that the internal controls within an entity or business process are based on risks that are identified by the staff working for the entity or process in question. In DSM’s opinion competent staff are best placed to discuss and evaluate the risks and controls affecting their own working

environment.

Figure 12: Risk assessment process at DSM hierarchically¹³

Before explaining how DSM recognizes different risk levels as shown in above figure, a definition will explain what a business risk actually is.

Business Risk is the threat that an event or action will adversely affect an organization’s ability to achieve its business objectives and execute its strategies successfully.¹⁴ A business faces many

12 Regulation like FDA’s cGMP, good manufacturing practice or the REACH proposal

13 Every year the Managing Board undertakes a Corporate Risk Assessment. Major risks identified last year during the Corporate Risk Assessment will be important input for the Corporate Strategy Dialogue.

14 Kinney, 2000, p. 57

Corporate Risk Assessment

Business Risk Assessment

Process Risk Assessment

Business Process Control Design

Managing Board

Organization

ERP

(33)

threats to achieving its objectives and to executing its strategies. Business risks can be classified in many ways. One useful way, similar with the approach of DSM, is the following:

1 External environment risks- threats from broad factors external to the business including substitute products, changes in customers; tastes and preferences, competitors, political environment, laws/

regulations etc. These kinds of risks are analyzed during a BRA. Quite often, these risks are already identified during a Business Strategy Dialogue performed by a Business Group every three years.

However management of the Business Group and Unit should monitor the occurrence of sudden events that change the risk profile to such an extent that BRA, PRA or Control Assessment needs to be done.

The purpose of a BRA is to produce a limited list of serious risks for the business. At the end of the BRA the main business risks are linked to the various business processes. Because risks do not concern themselves with departmental boundaries, it makes sense to look at business processes instead.

2 Business process and asset loss risks- threats from ineffective or inefficient business processes for acquiring, financing, transforming, and marketing goods and services, and threats of loss of firm assets including its reputation. These kinds of risks are discussed during a PRA.

Risks identified during a PRA often constrain entities in achieving the operations, reporting and compliance objectives.

PRAs are conducted for every business process and seek to assess the main process risks, the quality of the related controls and the opportunities for improving these controls.

3 Information risks – threats from poor-quality information for decision-making within the business and erroneous information provided to outsiders.

Especially the introduction of SAP as information system made DSM aware of the importance of information risks. Thus DSM anticipated by mapping process risks and controls that influence the reliability of information in BPCDs, the lowest level of DSM’s risk assessment process.

After assessment of relevant risks it is really important to respond to these risks in an adequate and effective manner. All risks identified during Business and PRA are evaluated on impact and likelihood.

These parameters determine the risk response of Business Groups.

Depending on the potential reward you can choose to accept a risk, transfer it, share it, take steps to minimize it, or avoid it as shown in the figure below.

As already mentioned in the control environment the corporate requirements have an important function in the risk response. Corporate requirements are mandatory instructions that simply do not allow Business Groups to take certain risks. Risks relating to ascribing roles to employees have been taking care of by determining them in the Corporate Requirements. DSM finds that these minimum controls should be present in every entity of DSM.

However, as explained before, Business Groups assess business risks and process risks themselves, and are thus responsible for the question if a risk is acceptable and how to respond to a risk. If

(34)

Business Groups have a certain level of freedom in building an internal risk system within its organization within the corporate risk management framework.

DSM as entity producing chemical, performance materials and life science products should ensure that enough controls are in place to comply with certain regulation like the good manufacturing

practice of the Food and Drugs Administration from the United States or the REACH proposal from the European Union.

In DSM’s Functional Requirements like Safety, Health and Environment controls are formulated in order to cover major risks related to specific functional fields.

However Process Requirements contain the policies and minimum controls that should be in place in DSM’s business processes.

Procedures to affect policies are called Business Process Control Procedures and are mapped in an Intranet tool called BWise. All successive working activities performed within a particular business process are described and also the internal controls related to that business process are embedded within those procedures, related work instructions or the described tasks, authorizations and accountabilities per employee.

Figure 13: Risk assessment and control¹⁵

Yes No

Potentially

Besides policies and procedures as control activities in the process by which an enterprise strives to achieve its business objectives, controls are needed over information systems.

15 Ibid., p. 61

Avoid risk or prevent at source Identify, determine source, and assess

level (magnitude and probability) of risk

Is risk/ reward acceptable?

Accept risk Transfer or share risk

Design risk reduction process

Monitor for exceptions and changes

Corporate requirements simply do not allow taking certain risks

(35)

COSO distinguishes two different kinds of information controls, general and application controls that will be explained in paragraph 2.3.

Information and communication refers to the fact that every company identifies and captures information –financial and non-financial, relating to external as well as internal events and activities, relevant to managing the entity. This information is delivered to personnel in a form and timeframe that enables them to carry out their enterprise risk management and other responsibilities. Information systems like SAP use internally generated data, and information about external events, activities and conditions, providing information for managing enterprise risks and making informed decisions relative to objectives.

Open communication on ethical values, risks and controls and the outcomes of monitoring activities is crucial to the effectiveness of any system of internal control.

Monitoring is a process that assesses the presence and functioning of its components over time. This is accomplished through ongoing monitoring activities, which occurs in the normal course of

management activities, separate evaluations or a combination of the two. Monitoring is in scope of the True Blue project, which has started the roll out of a monitoring tool, which can be used for ongoing monitoring activities. Deficiencies, which could be detected by using the monitoring tool, are reported upstream, with serious matters reported to top management and Managing Board. The Letter of Representation is used as official communication report in which the Business Group indicates in what way it is in control.

(36)

2.2 Business Process Control Designs

Starting the Apollo project several years ago DSM has implemented standard business processes supported by a standard information system within the organization called SAP.

Due to changes in information technology such as using SAP, an ERP-system, for supporting business processes assessment and control of business process risks have become increasingly important in recent years.¹⁶

DSM anticipated to above development by mapping process risks and controls related to an ERP- system in BPCDs.

Before discussing the controls in the BPCDs, the importance of controls in an ERP-environment will be shown.

Figure 14: Importance of ERP

In first instance ERP-systems aimed for supporting several activities in the business processes of an organization¹⁷. In that way ERP-systems contributed to the efficiency and effectiveness of business processes.

Because of huge amount of transaction information recorded in systems ERP systems were used soon for the recording of data and providing of information.

Nowadays the operations systems is intertwined in such a way with the information system that it is not possible anymore to make a difference between the components of the systems that support the business processes and the components of the system in which managerial information is generated.

16 Ibid., p. 58-59

17 Van Kessel, 2002. p.211

Strategic level Mission, strategy and organizational objectives

Operational level Business processes

Information level Information system Æ SAP R3

Business Process Control Designs Quality of information (internal & external)

Effectiveness and efficiency of operations

Information Operations

(37)

Internal control within an ERP environment focuses on efficiency and effectiveness of business processes as well as the reliability of financial and non-financial information¹⁸. Internal control of the business process leads also to a great extent to internal control of the data processing.

In reverse measures meant to control data processing most of the times have a positive functioning to the control of business processes.

Because data processing and business processes cannot be separated anymore from each other the sets of internal controls cannot be separated as well.

Figure 15: Control objectives from Information Accounting Systems¹⁹

ERP-environment

The character of COSO’s internal control objectives connects well with the definition that Starreveld used on Information Accounting Systems.²⁰

‘All activities regarding the systematically collecting, recording and processing of data aimed for providing information for managing in narrow sense and the functioning and controlling of a housekeeping, and for the accountability about it’.

Figure 15 makes clear the importance of controls within the ERP environment, and in particular controls regarding collecting, recording and processing of data in the SAP system as being in use at DSM.

18 Ibid, p. 212

19 Franssen, 2002 p. 132 Internal reliability

system -Information control -Safeguarding control -Authorization control

Collecting, recording and processing of

data

Managing, functioning,

controlling

Reporting -internal -external

Reliable

Information

Effectiveness &

Efficiency Safeguarding of

assets

Reliable Regulatory BPCDs

(38)

The application of an internal reliability system as explained in the theory of Starreveld²¹ will give reasonable assurance that information in the SAP system will be reliable.

Organizational measures and specific measures determine effectiveness of reliability measures.

Important organizational measures are segregation of duties. These measures are in general preventive measures. By taking such measures one seeks to prevent undesirable situations like irregularities and safeguard assets belonging to the entity. On the other hand specific measures often have a repressive or detective character. These measures exist because the totality of organizational measures can never guarantee the reliability of the information system by itself. From this it appears that one should strive to the most optimal mix of organizational and specific control measures.

DSM has laid down the principle of ‘internal reliability system’ in its BPCDs.

As final step in DSM’s Risk Assessment approach process risks in the standardized business processes are the starting points of the BPCDs.

All potential process risks and corresponding sets of internal controls for mitigating these risks when building or modifying an automated information system are present in these BPCDs.

The standard DSM integrated internal control approach for ERP-projects is based on end-to-end solutions. The complete business process including the ICT infrastructure must be covered.

Figure 16: Standard approach distinguishes five areas of internal control

First of all to ensure that business processes are under control and that identified process risks are mitigated to acceptable levels a BPCD should be developed for every business process. The BPCD gives a comprehensive view of process risks and corresponding controls; customized, authorizations, reports and procedures.

Business Process Control Design

Business Process Procedures

Application authorizations

Interface and data integrity

ICT infrastructure integrity

Corporate Internal Control

Corporate ICT

(39)

Figure 17: Four kinds of controls can be distinguished in the BPCDs

The controls are detailed right down to the level of individual transactions, as this is where the control measures have to be organized within an automated system. The principle of segregation of duties as derived from the corporate requirements is embedded in the SAP system on transaction level.

For all critical transactions in the SAP system the corresponding roles are determined and assigned to specific persons. One can find the segregation of duties principle under the security controls in the Business Process Controls Designs.

Furthermore corporate requirements influence Business Process Control Procedures as well.

Business Process Control Procedures are documented in the DSM standard tool BWise in line with best practices for business processes. All standard business processes are described on the level of procedure modeling. Procedures in BWise describe the activities, roles involved, instructions and the relevant SAP transaction codes.

As automated application controls increasingly replace manual controls general controls are becoming more important. All DSM specific automated controls can be found under the field of customization.

Control reports are a special kind of controls that mostly represent reviews of operating performance.

Thus control reports have a detective character and can be viewed as a special kind of Business Process Control Procedures.

Finally DSM seeks to find an optimal mix between the more technical approach of internal control in the SAP system, customization and security controls, and the more organizational approach of internal control in the form of reports and procedures.

Although the COSO report mentions the control goal effectiveness and efficiency of the business processes, in practice –from the point of view of Information Accounting Systems- this has still not been realized.²² The system of internal control measures mainly focuses on guaranteeing the reliability of (financial) information. Out of tradition most control moments have been built for the handing over of

Process

Risks

BPCD

Customization

Security

Reports

Business Process

Control Procedures

Technical fit

Organizational fit

(40)

information. Because of these transfers, segregation of duties has been assured, but it also results in waiting time in processing services and products.

Far-reaching segregation of duties assures security concerning reliability of information, but has a tensed relationship concerning the efficiency and lead-time within processes.

Therefore we can conclude that the importance of most controls mapped in the BPCDs lies in the fact that these controls ensure that the quality of information in the SAP system is guaranteed.

However the in the next chapter described Apollo IC Maintenance process deals with both operations and information. Changes in functionalities in the SAP system or the adding of new functionalities in SAP focus on improving the effectiveness and efficiency of the business process, thereby ensuring the quality of information in the information system and thus also the business process.