11
Risk Management and Corporate Governance

11.1 INTRODUCTION

The concept of risk management was embedded in corporate governance in the late 1990s. Corporate governance guidance was issued and promoted based on reaction to scandals in the US and the UK over the last 20 years. The following is a presentation from the World Bank (2004):
• Internal fraud – Allied Irish Bank, Barings and Daiwa Bank Limited, $691 million, $1 billion, $1.4 billion respectively, fraudulent trading.
• External fraud – Republic New York Corp., $611 million, fraud committed by custodial client.
• Employment practices and workplace safety – Merril Lynch, $250 million, legal settlement regarding gender discrimination.
• Clients, products and business practices – Household International, $484 million, improper lending practices, Providian Financial Corp. $405 million, improper sales and billing practices.
• Execution, delivery and process management – Bank of America and Welles Fargo Bank, $225 million and $150 million respectively, systems integration failures, failed transaction processing.
• Damage to physical assets – Bank of New York, $140 million, damage to facilities related to September 11, 2001.
• Business disruption and system failures – Solomon Brothers, $303 million, change in computer technology resulted in ‘un-reconciled balances’.
These scandals and losses have helped in a big way to shape the scope and depth of current regulation in operational risk management.
To understand more clearly how risk management came out of the corporate governance debate, it is necessary to look back into the development of ‘corporate governance’.
* Reproduced by permission of A. Merna.

11.2 CORPORATE GOVERNANCE

Corporate governance can be defined as the:
system by which companies are directed and controlled.
(Cadbury Committee definition 1992)
While corporate governance has gained a lot of exposure in recent years, there is in fact nothing new about the concept. It has been in existence as long as the corporation itself, that is as long as there has been large-scale trade, reflecting the need for responsibility in the handling of money and the conduct of commercial activities. At the end of the nineteenth century, shareholders started to hand over the direct management of larger firms to hired professional managers. This was facilitated by the adaptation of British company law, which offered businesses the protection of limited liability by separating personal liability from that of corporate organisations. Personal liability could therefore be limited to the amount of the shareholding in an incorporated company, limited by shares. The concept of corporate governance truly appeared when the owners of a company were not also those who directed and managed the company. They then required some assurance that the directors and managers safeguarded their investments and reported to them the correct amount of profit from which they may have received their dividends.
The corporate governance debate in the UK focused most of the twentieth century on the relationship between management and shareholders and the shareholder’s profit and wealth maximisation. Adam Smith who studied at length human motives once observed that the directors who are the fiduciary of other people’s money cannot be expected to be as vigilant and careful with other people’s money as they would with their own.
The nature of the debate on corporate governance changed radically in the late 1980s in the US and then in the UK. The 1970s and 1980s were marked by numerous financial failures, fraud and questionable business practices (the gin and tonic era). People started questioning the reasons for this happening, as these failures could not only be explained by senior management mistakes or misjudgements. This led to a number of initiatives in the US and Canada.
In 1985, the Tradeway Commission (formerlly the US National Commission on Fraudulent Reporting) investigated a number of large business failures and concluded that in more than 50% of the cases reviewed, failures were explained by breakdown in internal control. From that period the corporate governance debate broadened its scope, which became two-fold: still concerned with board management issues but also highly interested in the prevention of major business failures by implementing effective systems of internal control.
In the UK several committees were set up which issued recommendations (Cadbury 1992, Greenbury 1992, Rutterman 1994, Hampel 1995). In 1995, these were embodied in a code know as the Combined Code.
The code was not initially compulsory; however, every company listed on the London Stock Exchange has the obligation to report whether it complied with the code or not, and if not what were the provisions of the Combined Code which were not applied. In practice, as the Combined Code was viewed as a code of best practice, few companies departed from its guidance. It should be noted that health and safety, though not a central aspect of corporate governance, is nevertheless an issue on which directors are also asked to give some account. This relates to their own employees as well as suppliers and contractors working on their premises.
The provisions of the Combined Code relating to risk management are detailed in principle D2 and provisions D2.1 and D2.2 as follows:
Principle D2‘The board should maintain a sound system of internal control and safeguard the shareholder’s investment and the company assets’
Provision D2.1‘The Directors should at least annually conduct a review of the effectiveness of the group system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and com pliance controls and risk management.’
Provision D2.2‘Companies which do not have an internal audit function should from time to time review the need for one.’
The 12.43 London Stock Exchange Listing Rule stated that ‘the annual report should explain how the principles set out in the Combined Code had been applied. Any departure from the Combined Code principles should be mentioned in the annual report.’
The first major appearance of the concept of risk management in corporate governance is quite ambiguous. It is mentioned as something that is distinct from the control review process. It is not clear whether risk management is actually another set of controls that should be reviewed. There is no definition of the concept of risk management within the Combined Code.
For this reason and because no practical guidelines were available, a new working party (Turnbull Committee) was set up to provide an explanation on the Combined Code. Guidance was issued which is now appended to the Combined Code, named the Turnbull guidance. Companies largely endorsed the Turnbull report recommendations even if they represented at the time both a real challenge for most companies and significant additional work to implement them. The Institute of Internal Auditors’ guidance on Turnbull (2000) stated that three quarters of companies were still thinking in July 2000 that they would still require further work to comply with Turnbull guidance. The Financial Reporting Council (2005) undertook a review of the Turnbull report and stated ‘the review found that the (Turnbull) Guidance had contributed to improvements in internal control in UK listed companies. It strongly endorses the principles-based approach of the Guidance, which allows companies to focus on the most significant risks facing them. It recommends only limited changes to the Guidance to bring it up to date.’ However, the Institute of Internal Auditors issued a more reserved statement of effectiveness of Turnbull guidance.
The 47 notes of the Turnbull guidance brought some clarity about provision D2. However, with regards to the concept of risk management, the guidance still remained quite confusing by referring to the concept either in terms of governance structure or management objectives. For example, in article 10, risk management is defined as part of the system of internal control. However, in article 16, the system of internal control is said to be aiming at managing risk. Sarah Blackburn (1999) mentions the lack of ‘clear concept of the relationship between internal controls and risk management’. She adds that the term of internal control when used in the Turnbull guidance is probably too narrow to pretend to embrace the concept of internal control. What is obvious at this stage is that neither the Combined Code provisions nor the Turnbull guidance and further professional guidance manuals from different institutions really approach the concept of risk management in a very easy to understand way.
In summary the Turnbull report is about managing the risks that are ‘significant to the fulfilment of a company’s business objectives’. Companies should not only create and maintain truly risk-facing internal control systems, but also ensure that the systems are embedded deep within the corporate anatomy. Ultimate responsibility for implementation falls on the board of directors and no distinction is made between executive and non-executive directors. Directors are required to review and report to shareholders, at least annually, on the effectiveness of all internal controls including financial, operational and compliance controls and risk management. This approach to risk management has been welcomed by a number of organisations as a means of enhancing performance and gaining competitive advantage. Investors (both lenders and shareholders) will regard the implementation of Turnbull not only as a safeguard against damaging mistakes but also as a measure of business success. With the scope of risk management now extending beyond financial, audiences with concerns about company values (product quality, health and safety, employee and customer loyalty etc.) or wider issues (environmental, ethical, social etc.) will be interested in disclosures made in these areas. Industry regulators and courts will regard the extent to which Turnbull has been implemented as a compliance indicator and pick up on deviations from its best practice standards when investigating companies.
Disasters catch out even the most vigilant organisations. When they occur, they can result in litigation against the company, criminal and civil actions against directors personally, negative publicity, damage to corporate reputation. The list goes on.
The companies which are likely to survive the consequences of a disaster will be those which:
• can demonstrate a good record of regulatory policy and compliance
• have crisis response systems in place which bring immediate effective relief, limit damage and negative exposure and work fast towards re-establishing business continuity and
• have insurance protection to minimise the financial impact on the business, its directors and officers.
In disaster situations, larger well-established companies are likely to derive additional support from their corporate reputation and stakeholder loyalty. For small to medium-sized companies and young companies, the satisfaction of the above criteria will probably determine whether or not they will weather the storm.
For all its upbeat and incentivising qualities, Turnbull should not be misunderstood. While proper implementation will bring benefits from business gains to a happier workforce, the critical test of benefit will come when the unavoidable disaster occurs. There is no doubt that in such situations, the extent of a company’s compliance with Turnbull will be scrutinised. Proper risk management systems will prove to be the company’s lifeline in such situations. They can be used to dissuade a regulator from prosecuting, or operate as powerful mitigation should the matter go to court. The implementation of a system of internal risk control requires an honest appraisal of the company’s capabilities. What can it do in-house and what should be outsourced?
In fairness, despite the omission of risk management references, the Turnbull guidance still brings the following key clear directions with regards to the general concept of risks:
• A company should assess its risks on a regular basis and be capable of responding to risk.
• Procedures should exist in order to ensure that significant risk matters are reported to management.
• Companies should report on the process in place to manage risks.
The last aspect regarding the need for reporting information on risk in annual reports finally brought corporate advisers and auditors into the risk management debate. The prospect of advising boards on how to communicate on the subject in annual reports and how to implement the provisions of the Turnbull guidance provided a new solid stream of counselling income. Worldwide auditing firms and management consultants thus developed their own guidance on the guidance.
The Deloitte and Touch (2001) progress report on corporate governance lists key considerations on risk management:
• Link risk management to business improvement.
• Keep it simple and straight-forward.
• Build it into the decision-making process.
• Now is not the time to declare victory.
Risk management is not defined and general guidance does not stipulate the way risk management should be implemented. It only provides general principles for implementing the risk management as with any type of project.
Felton and Watson (2002) listed some general principles for effective risk management as part of a set of rules for strengthening corporate governance. These are summarised as:
• Companies should delineate the risks.
• The company should ‘measure its risk exposure and update it risk profile routinely’.
• People who determine the company’s risk policy, monitor and control its implementation should be different from those who manage the business.
• Any key decisions should include risk considerations.
The ICAEW published an Internal Control guidance (1999) which has taken into account its views that the guidance should be interpreted in a non-bureaucratic way and can be adapted to the particular circumstances of individual companies. In other words, companies have maximum flexibility to implement and report on risk management.
Barjon (2006) notes that the financial investment profession has also embraced the concept of risk management with title of chief risk officer first developed in financial institutions. In finance, risk is very much linked to reward. Risk is the concept used to appraise the profitability of the different investments depending on their risk profile, which is conceptualised into mathematical models, especially for quoted investments.
Barjon (2006) also states that risk management has been developed by different professions with relatively different perspectives and objectives:
• the minimisation of the financial impact of negative impact events (insurance)
• the assessments of likely rewards of financial investments (finance)
• the prevention of negative impact events with the view to safeguard assets and protect people (technical and engineering).
The profile of risk management over the last few years has become one of the core topics discussed by business and political leaders. Samuel DiPiazza Jr, the Global CEO of PricewaterhouseCoopers (PWC), made a presentation on risk management at the World Economic Forum at Davos in 2004. It is interesting to note the key elements of his presentation. DiPiazza stated: ‘While there has never been a time when risk has been completely absent from our world, our businesses, and our lives, today risk comes in more flavours than ever before.’ The flavours he refers to for justifying the rise of risk concerns are the threat of terrorism, the reality of wars, unpredictable economic gyrations, corporate scandals and tighter regulations.
DiPiazza also stated that risk management activities help organisations ‘to achieve their objectives, reduce volatility of outcomes, and ensure effective reporting and compliance’. DiPiazzo also introduces the term enterprise risk management which is a term more frequently used in the US to talk about the global corporate perspective of risk management to avoid mixing it with insurance matters and sets very clearly the dilemmas of risk management. Firstly, ‘reducing uncertainty about downside loss . . . and upside gain entail a real cost’. In other words, risk management activities do represent a significant cost to companies. Preventing future unexpected losses comes at a premium cost. Secondly, ‘reducing downside loss can reduce opportunities’. Companies need to find the right trade-off between risk and opportunities of rewards, and suggests risk management should not be treated as the ‘be all and end all’. Companies should always be prepared ‘to expect the unexpected and to act when the unexpected occurs, as it inevitably will’.
In the Anglo-Saxon world, risk management has become a high profile business management topic and it is almost anchored as an official management standard for managing large businesses.

11.3 CORPORATE GOVERNANCE APPROACH IN FRANCE

The interest of corporate governance and formal risk management theories has been more acute in countries, mainly Anglo-Saxon ones, where indirect ownership of quoted companies is widely spread and with English origin legal systems. Marc Goergen (2003) explains, for example, that German companies that are generally controlled by significant shareholders are less controlled than UK companies. In the UK and US, state and pension funds have invested large sums in quoted shares to meet the financial needs of their pensioners. However, pension funds are by nature adverse to risk and therefore they are very keen to influence the promotion of new initiatives in corporate governance. Pension funds represent a very large proportion of the shares quoted on the stock exchange in the USA, UK and Canada. In countries without such pension funds, the concept of corporate governance is more recent and less familiar. In France pensions are organised on a reallocation system (repartition) versus an Anglo-Saxon capitalisation system. In other words, those who work pay for those who are retired).
It is interesting to note that the trend is, however, changing due to international influences. More French companies are now quoted in London and New York and have to comply with the British or American regulations. The French society adapts slowly to the new world business environment. Disclosure of directors’ remuneration in annual reports is now less a taboo, for example.
The main initiatives on corporate governance in France have been:
• Report Vienot I – June 1995, MEDEF
• Report Vienot II – July 1999, MEDEF
• Report Bouton – December 2002, MEDEF
• A proposal for Internal Control Procedures – December 2003, MEDEF
• Recommendations on the corporate governance – 1998, 2004, AFG-AGS.
The most relevant initiative was the French equivalent of the Turnbull report, the Vienot report. A committee was formed by chief executives of 14 of the largest French plcs to review the corporate governance matters. They included the need for separation of the functions of chairman and chief executive, the need to publish the executive directors’ remunerations of quoted companies, and various questions relating to the administration of the board. The committee was sponsored by the powerful management private organisations MEDEF (Mouvement des enterprises de France) and the AFEP (Association Française des Entreprises Privées). A guidance, named Vienot, was produced in July 1999. The report has subsequently been updated by additional guidance from the MEDEF. A first reference to risk was made in a new report issued by the MEDEF and mentions that the objective of the system of internal control is to manage risk. The report, however, mainly focuses on suggesting that annual reports should detail the internal control procedures and responsibilities, and the key legislation and codes the companies comply with. It does not expand on the suggested action for managing risks.
Another report from the MEDEF, the Report Bouton (2002), only makes comments about risks which need to be better managed as a principle. The latest guidance issued by the French Asset Management Association only relates to the general principles of corporate governance.
It should be stressed that the main difference with the UK situation is that most of these recommendations have not been embedded in the law and are not enforceable. That kind of process takes years in France where the civil law type of system is very complex. There is an exception which relates to the compulsory information relating to internal control. The new law, Loi de Sécurité Financière, LSF (2003), imposes quoted companies to report on internal control in the annual report without saying what internal control is or without mentioning whether the report should be descriptive or should express an opinion on how controls are managed within the companies. In the absence of further guidance, companies have adopted a very low profile on these topics in the annual reports.
Overall, there is no official corporate governance guidance, in France, which in particular relates to risk management theories and recommended practices, which are equivalent to the Turnbull guidance that companies need to comply with.

11.4 CORPORATE GOVERNANCE APPROACH BY THE EUROPEAN COMMISSION

Internal Market Commissioner Fritz Bolkestein stated in 2003 that ‘company law and corporate governance were at the heart of the political agenda’ and that Europe had a ‘unique opportunity to strengthen European Corporate Governance and to be a model for the rest of the world’. As a result the European Commission set out a plan of action which was presented in May 2003.
The position of the European Commission is well summarised by the European Commission (2003). ‘The Commission does not believe that a Corporate Governance Code would offer significant added value but would simply add an additional layer between international principles and national codes.’ The Commission suggests that ‘The European Union should adopt a common approach covering a few essential rules.’ The most urgent initiatives considered by the Commission being:
• introduction of an annual corporate governance statement
• shareholders’ rights
• promotion of the role of non-executive directors
• directors’ remuneration
• convergence of nations.
In response a European Corporate Governance Forum was set up in 2004, comprising representatives from member states, European regulators, issuers and investors and other market participants and academics. The Forum is chaired by the European Commission. It has not yet produced any relevant information regarding corporate governance and risk management.

11.5 CORPORATE GOVERNANCE AND INTERNAL CONTROL

Internal control is defined in the Combined Code as follows:
An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:
Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risk to achieving the company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed.
Ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation.
Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.
Internal control should not be confused with the simple definition of control often used as a response to a risk. In that sense, HM Treasury published a book called the Orange Book (2001) on risk in which a definition of control was presented as follows:
Control is any action, procedure or operation undertaken by management to increase the likelihood that activities and procedures achieve their objectives. Control is therefore a response to risk.
Internal control is a concept that has been used by different governmental bodies and professional institutes to communicate best practices that companies should adopt to make their operations more reliant. Several models have been developed over time which have integrated the concept of risk gradually.
The first known model was the US model ‘COSO’ which inherited its name from the name of the organisation which developed it, known as the Commission of Sponsoring Organisation (COSO) of the Tradeway Commission. The Canadian Institute of Chartered Accountants developed their own model two years later in 1994 called ‘Coco’ (Canadian Criteria of Control). Private consulting companies also developed in the 1990s other internal control models such as the Cardmap system.
More recently the initial US model COSO was revisited and updated as COSO II. The model promotes the establishment of meaningful objectives for all activities of an organisation and the implementation of eight control elements supporting each objective. These elements relate to the following topics:
• internal environment
• objective setting
• event identification
• risk assessment
• control activities
• information
• communication
• monitoring.
This control model is now used by a large number of companies in the US and clearly places at its heart the basis of risk management. The promotion of control models has had the impact of making risk management more practical and discussed by staff at all levels of companies.
Finally corporate development in the US needs to be discussed. This incorporates powerful implied risk management strategic ideas and new guidance about internal control frameworks. It is known as the Sarbanes-Oxley Act of 2002 (SOX) or the Public Company Accounting Reform and Investor Protection Act of 2002. This US Act can be defined as ‘wide ranging and establishes new or enhanced standards for all U.S. public company Boards, Management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.’ This Act was voted by the US Parliament following a deterioration of public confidence in company official information including financial results from the scandals relating to Enron, Tyco International and Worldcom. SOX goes much deeper than the accuracy of financial projections, it touches many areas affecting the management of every project within an organisation. Quoted companies in the US and their international subsidiaries must also comply with provisions of the Act.
Pavyer (2005) states that companies surveyed by AMR indicated that they expected to see business benefits from the work undertaken to comply with the above regulations, the business benefits being ranked as follows.
1. better alignment between business policies and related controls
2. improved capability to manage risks in the business
3. heightened importance of compliance related operations as part of every activity
4. improved governance of IT functions core to business operations
5. improved accountability across the entire organisation
6. improved financial decision making
7. better visibility into performance at business levels
8. improved ability to react to changes in market conditions.
The section most relevant to risk management, however, is section 404 of the Act ‘Management Assessment of Internal Controls’. To fully present the impact of this section on businesses would require discussing the roles of external auditors and management in reporting financial performance of companies. In simple terms, within a risk management perspective, the Sarbanes-Oxley Act introduced the following principles:
• The risk of fraudulent, inaccurate, financial reporting must be reduced to a minimum.
• The effective financial reporting process is based on effective financial internal controls to ensure that financial transactions are accounted for effectively during the year and the control of financial statements by external auditors at year end.
• External auditors cannot audit fully internal control systems and senior management’s responsibility should include making sure that a system of financial internal control is in place within the company.
• At year end external auditors should produce a report on the system of financial internal control in addition to their annual audit opinion on the accuracy of the accounts.
Section 409 requires public disclosure of material changes in financial condition or operation for those firms reporting under section 13(a) or 15(d) of the Securities Exchange Act of 1934.
It should be noted that the Sarbanes-Oxley Act’s risk and the risk response (control) covers only the financial reporting process. Moxley (2003) points out that ‘the rules drafted by the US regulator the Security and Exchange Commission (SEC) to implement the legislation talks only about a very narrow form of internal control . . . in relation to financial reporting and controls over information filed with the SEC’.
More globally the Act has re-established a more generic principle that management is ultimately responsible for anything that concerns the company they manage and thus that they should be aware of any risk that threatens their business and not only the risk of inaccurate financial reporting.
Major challenges to the Sarbanes-Oxley Act relate to the added cost burden that compliance has forced on to firms especially in increased auditor fees and additional human, time and financial resources that firms spend to comply. It is almost like mini external audits on top of the statutory yearly audits. Pavyer (2005) states that in a recent survey conducted by Fortune 1000, companies were spending, on average, US$4 million to comply with SOX and according to a Financial Times report, such companies will pay another US$2.9 million to ensure ongoing compliance. This covers spending across a range of business processes – financial, IT, operational – with an increasing amount expended on technology components.
Complying with SOX is an enormous challenge. With senior executives’ personal liberty on the line it is inevitable that US companies will extend the spirit of the act beyond its graphic boundaries. It is, however, essential that with the returns from an investment of this magnitude, procedures go beyond tick-box compliance, particularly in terms of the risk management processes.

11.6 SUMMARY

Corporate governance provides a framework for all major organisations. Familiarity of one framework as opposed to another will often depend on the choice of framework and location of the organisation.
Corporate governance in itself is not new. The corporate governance frameworks in place now allow organisations to address the requirements to manage risk in a structured way.
Auditing and monitoring are inherent to corporate governance frameworks and these systems can be developed to aid in the management of risk.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.120.131