AIR TRAFFIC CONTROL
After experiencing major fraud, Singapore Airlines turned to Control Self Assessment to manage its process risks in a unique way.
By Justin Wood

For managers at Singapore Airlines (SIA), January 2000 is a month few will forget. Just weeks into the new millennium, an ad hoc review by the company's internal audit team unearthed a shocking fraud - one that had gone unnoticed for 13 years.

The review centered on the cabin crew division at the S$9.8 billion-a-year (US$5.9 billion) airline, and in particular the payment of cabin crew allowances. Henry Teo Cheng Kiat, an administration supervisor, had been solely authorized to determine the names of the claimants, the amount of the claims, and the receiving bank accounts for all the company's cabin crew allowance payments. Such a position offered plenty of opportunity for personal gain, and Teo succumbed to the temptation in spectacular fashion, siphoning off almost S$35 million - in small amounts spread over many years - into his own pocket.

In the months that followed the discovery, SIA managed to recover a good deal of Teo's ill-gotten gains. And the supervisor himself, 47 years old at the time, was sentenced to 24 years in Changi Jail for criminal breach of trust.

More significantly, the top managers at the airline decided they needed to overhaul their system of internal controls. A new approach was needed, one that would dramatically reduce the chances of such a fraud ever recurring. Several trends in the wider world added fuel to their desire for change. For one, Singapore, like many other countries, was in the process of introducing tough new corporate governance regulations. Equally, many companies were in the midst of changing their views about handling risk, moving away from an insurance mindset towards one of more active risk management.

It all added up to a complete re-think of how the firm tackled the related issues of risk, control, and corporate governance. For other companies in the region, the experience of SIA in the four years since early 2000 offers interesting insights into what a best practice control environment might look like.

Project pilot

To help spearhead the new approach, SIA decided to bring in an outsider. It recruited James Whitley, a senior partner at Ernst & Young in the US, to be its head of internal audit. When he arrived, recalls Whitley, he could tell immediately that many of the company's practices needed sharpening up.

"The internal audit function was primarily compliance-oriented and concentrated on individual departments rather than focusing on processes and risks," he says. What's more, he adds: "Managers throughout the company tended to regard internal audit as the keepers of internal controls when in fact the managers themselves should have been the keepers."

So it was that SIA began to sketch out a new framework for managing risk, monitored by the company's board-level risk and audit committee. First, SIA created four broad categories of risk - regulatory, strategic, operational, and financial. Equally importantly, it identified three different levels of risk. At the top were "planning risks", those that affected the long-term corporate goals of the group, and which were to be managed by the firm's most senior managers. In the middle were "functional risks", those that could cause serious business disruptions such as the failure of an IT system, and which were to be coordinated by SIA's risk management team. Finally, at the base of the risk pyramid, came "process risks". These were the company's lowest-level risks that arose out of the everyday activities of its staff due to errors, non-compliance, or abuse of internal control procedures.

Whitley, whose contract with SIA ends this December, and his internal audit team were involved at all levels of the risk management process, in particular acting as the conduit for risk information up to the company's audit committee. Most importantly, he was also put in charge of improving the way SIA identified and managed its process risks.

To that end, Whitley and SIA turned to a tool known as Control Self Assessment (CSA) and enlisted the help of consultants from PricewaterhouseCoopers (PwC). Although not a new technique - CSA was famously pioneered by Gulf Canada back in 1987 - its use in Asia is limited. Indeed, a report released by Singapore's Institute of Internal Auditors in 2003 states that: "Generally, the awareness of CSA is very low in Singapore É we observed that multinational companies are way ahead of developing CSA compared to [local] companies."

Put simply, CSA is a methodology used to review all of a company's key business processes, to identify the risks in those processes and then to ensure that internal controls are in place to manage those risks. Fundamental to the technique is the identification of individual owners for each of the company's critical processes and the cultivation of a sense of personal responsibility in those owners for their own controls.

As Keith Stephenson, a partner at PwC who helped design SIA's CSA program, explains: "The idea is to reinforce the ownership of controls back into the lines, to force accountability and responsibility for controls down to the level where they're being implemented."

Flight path

The first step to introducing the program at SIA was the laborious task of mapping out all of the company's main processes and sub-processes along with the controls embedded within them. Just as important was the need to identify the owners of each process and control. "We started from a mapping standpoint so that we understood all of our processes and who was managing them," says Whitley.

That done, SIA and PwC then held a series of risk workshops built around the results of the mapping exercise - with each workshop targeting a particular process. During those sessions, which lasted around three hours, staff tried to identify every possible risk they believed could lead to a breakdown in the process they managed. Much of the input to the discussion was done anonymously through computer screens, an arrangement that Whitley says yielded greater candor among participants.

Once all the risks were identified, the staff prioritized them from the greatest down. The top 20 or so risks that came out of the workshop were then mapped back to the process in question and used as the basis for drafting out new, improved minimum acceptable controls, or MACs. The result is that every process now has in place a list of key MACs - just three or four pages long - that govern that process, and significantly, those MACs are designed specifically to address the areas of greatest risk.

"The key to everything is the identification of risk," notes Stephenson. "Everything else falls out from that." In all, SIA and PwC have together held in excess of 130 such risk workshops around the world, taking in every key process in the group and touching on every department, from finance to marketing to engineering to human resources. But CSA doesn't end there. To really drive home the notion of ownership, every year each control owner and each process owner must complete and sign a questionnaire assessing themselves on how well they are applying their MACs. The basis for assessment is a standardized five-point scale, with controls opinions ranging from "good" to "needs strengthening" to "weak".

Of course, Whitley and his internal audit team also do their own checks, matching their own assessments of control strengths against the assessments given by the owners themselves. Any disparities carry serious consequences - including a phone call from SIA's group CEO. Fortunately, says Whitley, process owners have quickly realized the benefits of honesty in assessing themselves - good controls are likely to improve the overall performance of their particular operations.

Targeting turbulence

Whitley also uses the results of the CSA questionnaire to determine his audit schedule for the year ahead. "We have scarce resources, so we target areas that show up with the greatest risks and the weakest controls," he says. "It's a truly risk-based audit approach."

Needless to say, to keep the CSA program fresh it has been set up on a rolling basis. The aim is for each business process to undergo a risk workshop and to have its MACs and CSA questionnaire adjusted as a result every 18 months. To that end, SIA is now in the second cycle of workshops.

"Often you find companies with thick control manuals that are horribly out-of-date," says Stephenson. "But the great thing about CSA is that it keeps your controls current." After all, he adds: "Change is one of the key triggers of risk."

There are other benefits too. Quite apart from driving accountability down to the coal-face of the company, it also brings confidence to those at the very top. In particular, SIA's audit committee now has a robust system for assessing the strength of the group's internal controls.

Once a year, Whitley sits down with the committee and shows them the results of the CSA questionnaires. He then shows them the assessments his internal audit team have made of a sample of those same processes. "There's a reconciliation between the two," he states, "that is documentary proof for them to comment on the strength of our internal control framework."

Stephenson agrees. "It's a very comforting process for an audit committee," he stresses. "Come judgement day in a court of law, CSA is tangible evidence to support a statement about having good controls in place."

With 20 years left to go of his jail term, Teo Cheng Kiat doubtless wishes SIA had set up such a system long ago.

Justin Wood is managing editor of CFO Asia, based in Singapore.