Is the glass half empty or half full? Do you see the effective management of business risk as the prevention of mistakes or the maximising of potential?
If you subscribe to the second philosophy then you could be on the way to seizing the last untapped source of competitive business advantage. In the corporate governance debate attention has tended to focus on the need for internal controls as a defence against business evil. The control shield, we are told, helps fend off the fire-breathing dragons of corporate wrong-doing. Dominant directors can be impeded from fiddling the pension fund. Corporate crashes that result from hidden accounting holes can be kept to the unavoidable minimum.
The Hampel Report, published in January, continued along this path, extending the importance of controls by removing the financial qualifier. Recommendation 53 states: “Directors should maintain and review controls relating to all relevant control objectives and not merely financial controls.” Though the Hampel recommendations have received a mixed reception, with critics saying they do little to advance the cause of good governance, this extension of the control requirement does have implications for directors.
“Post Hampel there needs to be a reconstitution of the Rutteman committee to clarify guidance for directors on internal control because there is now a mismatch between the guidance for directors and the expectations arising from Hampel,” says Martyn Jones, national audit technical partner at Deloitte & Touche. The original guidance was predicated on the assumption that only internal financial controls were at issue. “Now we are moving into an era where directors are being asked to review and maintain a system of internal controls that has wider objectives,” he adds. “The key thing for boards to be considering is whether they have a clear enough process to enable them to understand what people at all levels think about the resources and how they can be managed. There are three questions that boards have to be able to answer: What is the control status? Who is accountable? And what is the early warning mechanism?”
However, the debate now appears to be moving on from its control-led past. ACCA’s response to Hampel criticised the report for failing to address the key issue of business risk, arguing that disclosure of a board’s approach to risk should be a part of the corporate governance listing requirements recommended by Hampel. David Harvey, secretary of ACCA’s corporate governance review group, says the report draws “little attention to the process of identifying and managing risk, which a board supervises”.
That process of identifying and managing risk spreads the spotlight of debate onto the role of internal audit. Both ACCA and the Institute of Internal Auditors (IIA) said Hampel could have given internal audit a higher profile. The IIA said Hampel hadn’t put enough emphasis on the “crucial relationship” between internal auditing departments and audit committees and the board. While Hampel recommended that auditors should report privately to directors, the IIA says equal stress should have been placed on the reporting line between internal auditors and the audit committee, in order to provide “a more informed assessment of how risks are managed and the quality of the internal control mechanisms”.
The question of to whom internal auditors should report flags up the divergence between finance chiefs and internal audit heads. “Typically, the internal audit head would report to the finance director though there would be a separate line to the audit committee and the chief executive,” says Christopher Pearce, finance director of Rentokil Initial and chairman of the 100 Group of finance directors. “I would see the internal audit manager a lot and would ensure he is looking at the areas that we think are important to the financial position of the business. My job is to make sure the right controls are in place and that they work and that we have the right internal audit resources.”
However, Harold Izzard, an elder statesman of internal audit and IIA-UK spokesman, doesn’t think internal auditors should report to FDs, even if they can turn to higher powers for help. “Most big internal audit departments now still have a pay-and-rations line to the FD, but they also have a line to the audit committee,” he says. “So they can say if they are being restricted in their scope, but their job is on the line when they do that. Being independent in a job is always a tightrope walk.”
Similarly, Tarlok Teji, chief internal auditor at Asda, says the relationship between the internal auditor and the FD “needs to be very good and very close, but not necessarily subservient,” he says. “There needs to be a healthy tension there. The finance department is the final backstop. It controls the purse strings so internal audit needs to be able to go in and say ‘You need to beef things up.’ Most importantly, there needs to be at least a dotted line to the non-execs, the audit committee.”
Again, there is divergence between internal auditors and finance directors over the extent of the role internal auditors should fulfil. “The role of internal audit became much more formal and more obviously important following Cadbury and the requirement to state in the annual report that the internal controls had been reviewed. In practice the best way to do that review is through the internal audit processes,” Pearce says. Yet he sees the typical role of internal audit as addressing financial risk and financial controls, rather than straying into broader business areas such as compliance with health and safety regulations or environmental issues.
In contrast, Izzard says the internal auditor’s brief should be far wider and cover all forms of control, for example, stock controls, or controls over the kinds of people recruited into the business. “These should all be the province of the internal auditor, and so should all risks,” he says. “Internal audit should not be mixed up with finance, really.”
Izzard says that internal audit has already started to expand its role. “Some internal audit departments are working alongside management to try to perceive the risks and help determine how they should deal with those risks,” he says. “Sometimes that may mean introducing more control, and sometimes agreeing the sort of risk they should take on business decisions.
That’s quite new to internal audit.” He believes the new role emerged as a result of the restructuring that has taken place within modern organisations. “When they delayered and re-engineered, sacked staff and empowered others, sometimes empowering meant that everyone did what they felt like,” he says. Companies had to find a way of helping managers assess the risks of what they were doing. Internal auditors were brought in, people who were scientists, engineers and other specialists who could help assess the risk involved in potential decisions.
Teji believes that corporate governance initiatives have also boosted the profile of internal audit. “They have made management much more risk-aware,” he says. “It’s not about compliance any more. Control self-assessment can take care of that. Auditors should be focused on strategic business risks and make sure that the risks are covered. It’s a higher-level role, more of a consulting role. It’s all to do with the capability of internal audit and how it’s viewed within an organisation. Here (at Asda) there is a lot of respect for the things internal audit does.” Teji reports to the FD and to the audit committee. “Or I can go straight to the chief executive or Archie Norman, the chairman,” he says. “They listen.”
Teji also believes risk assessment has to cover a broad range of issues. “It’s very easy for people to just focus on the balance sheet and profit and loss,” he says. “But that’s not where the risks are. One of the biggest risks for Asda doesn’t appear on a balance sheet is the risk that someone dies from e-coli poisoning. How do you put that on a balance sheet? You don’t, but you do need to identify it as a risk.”
Risk is inevitably discussed in reference to the negative impact that it can have on a business. But the debate is extending to put emphasis on the positive implications of effective risk management, as well as the negatives of failure. The ICAEW recently put out a discussion paper, Financial reporting of risk: proposals for a statement of business risk, which argued that the uncertainties inherent in business would be better reflected in financial reporting if companies published a ‘statement of business risk’. That statement would identify key risks, describe actions taken to manage them and report on how they are measured. It would cover the potential for gain, not just exposures to loss.
“People get bogged down in reporting policies, objectives and waffle,” says Arthur Andersen’s Robert Hodgkinson, chairman of the ICAEW steering group that wrote the paper. “This avoids the waffle.” Instead companies identify their top risks, see what they are doing to manage them, and then see if they are doing enough. The report could eventually turn into some form of best practice statement. Although it is early days, Hodgkinson is hopeful that the approach could address the assumed conflict between corporate governance and making money. It encompasses risks that threaten prosperity, and talks up the benefits of reporting those risks.
“We had a big discussion about what we meant by risk,” says Professor Ken Peasnell of the University of Lancaster Management School and a member of the ICAEW’s steering group. “Was it just the downside, or was it the upside too?” The group felt it was worth stressing that organisations could gain from reporting risk. “The cost side of disclosure is so obvious to businesses,” says Peasnell. “The more you report, the more you give away.” So the ICAEW paper explains the upside – that a fuller disclosure of risk issues could lead to a lower cost of capital.
More positive thinking on business risk management comes from Ernst & Young. “It does mean your ability to grow and expand becomes far greater,” says Ally Macaskill, partner in the firm’s business risk consulting team. The momentum in risk management is switching away from simply damage limitation to making sure things go right. E&Y is somewhat disappointed with Hampel in this respect. Macaskill fears that some companies, driven by their desire to report the soundness of their internal controls, will concentrate on one-off processes and checklists. “If it is all driven by reporting, then you will get people with checklists in internal audit saying: ‘We have done this and can report that.’ It’s rear view stuff.
Our view is that companies that adopt this approach will lose competitive advantage to those with a more holistic approach to risk management,” he says. Leading-edge organisations start with a very clear risk agenda set by the board, says E&Y’s Mike Green. They identify the most critical risks facing the organisation and what the strategies should be for addressing them. The board considers what the organisation’s tolerance for the risks should be. “We cascade that down through the organisation,” says Green. “We can work with the organisation to find the right risk management architecture, the structure for getting the risk-reward balance right.”
In effect, this amounts to a form of change management programme, focused on risk. “That’s where we think Hampel doesn’t go far enough,” says Green.
“Hampel says: ‘Do we have a sound system for reporting where we have been?’ But companies are asking: ‘Where do we want to go?'” Leading-edge companies want that glass to stay half full.
Sarah Perrin is a freelance journalist.