New “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting” from the Financial Reporting Council
After much turmoil in our economy, and many, many months, if not years of consultation, the long awaited guidance on risk management (and all the rest of the things included in its snappy title) from the FRC was published last night (16/17 September 2014). And – I never thought that I would write this – it was well worth the wait. This document is miles ahead of the former incarnations of the Rutteman Report (remember that?) and subsequently various versions of the Turnbull Report. At last we have something that really addresses the needs of companies, and boards in particular, to do something sensible about risk management.
Thankfully this guidance is also pulling together the various sources of guidance on risk including the former Sharman Report on addressing the knotty issues of reporting under the going concern principle. So this becomes a one-stop source of reference and guidance for boards.
Contextually, as the document says:
‘The Code defines the role of the board as being “to provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enables risk to be assessed and managed”. Effective development and delivery of a company’s strategic objectives, its ability to seize new opportunities and to ensure its longer term survival depend upon its identification, understanding of, and response to, the risks it faces.”
At last we are looking at risk management in the context where it belongs: the entrepreneurial leadership of the board, seizing new opportunities and long term survival. In other words this is not a mere governance issue: it is about the creation and protection of value. It goes on to say that the “Company’s approach to risk [needs to be] properly considered in setting the company’s strategy”. In other words risk and its proper management is a strategic issue – as I have been arguing for a very long time. Of course this is divergent with the common practice in many companies today where it is largely a compliance issue dealing with operational matters.
The responsibilities of the board are set out in Section 2 of the guidance and are comprehensive. I have summarised them below:
- Design and implementation of appropriate risk and control systems and robust assessment of principal risks;
- Determining risk appetite;
- Ensuring appropriate culture and reward systems are embedded;
- Agreeing on the approach to managing principal risks;
- Monitoring and reviewing risk management; and
- Ensuring sound information on risk management is published
There is also more material on the board’s responsibility for the Going Concern principle, which I will deal with in a subsequent note. Interestingly, references in earlier drafts to stress testing appear to have been relegated to Appendix B where the approach to longer term viability is discussed. With that exception, the list of responsibilities includes three comparatively recent additions to directors’ responsibilities: namely risk appetite, risk culture and ensuring that sound information is published on risk matters. While risk appetite appeared in the UK Corporate Governance Code a few years ago by inference, it is here explicitly (albeit in brackets!)
My personal take on this is that directors who take this list of responsibilities seriously (and who wouldn’t given the potential impact of failing to do so) will have some considerable work on their hands to address the first two of these issues: namely risk appetite and risk culture. The more fundamentalist members of the ISO31000 community will likely have a collective frenzy of horror at the “Risk Appetite” phrase creeping in – I on the contrary am delighted to see it appearing, because I believe it to be the cornerstone of an effective risk management approach, especially in the strategic domain. At a recent Internal Audit conference I asked how many internal auditors were reviewing their corporate risk culture in anticipation of these changes (they have been well trailed). The response was that depressingly low numbers are doing so and even fewer could articulate their approach to risk appetite.
Section 3 of the guidance advises boards on the exercise of their responsibilities. Five key areas strike me as being particularly relevant and they include:
- Having the board ensure that the “appropriate culture is in place”. Indeed the guidance goes on to say that “it is not sufficient for the board to set the desired values.”
- Ensuring that there is adequate discussion at the board: this is a far cry from the comments made by Nigel Turnbull after his Report was published when he said to the effect that it was sufficient for the board to have a chat once or twice a year. The guidance now says that “the board needs to ensure that it engages in informed debate and constructive challenge and keeps under review the effectiveness of its decision-making processes.
- Considering whether the board and any committees and management groups have the “necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively”. For some time now, I have predicted that this is an area where boards are going to need help. There is far more to the style of risk management that is being asked for here than was implied under the previous guidance. My take on this is that we will see more boards looking for a risk specialist on their team of non-executives, and quite probably seeking board advice specifically about these areas, rather than the broader advice that might be offered to management more generally on the topic.
- Specifying and then monitoring the information that it requires to discharge its risk responsibilities, and in particular that “it is of sufficient quality to allow effective decision-making”. Much of what currently passes for risk management is a data-free zone. This will have to change as boards demand better quality information over which appropriate governance procedures are exercised, more akin to the disciplines over accounting data.
- Identifying and seeking assurance on risk matters, including from “compliance, risk management, internal control and internal audit functions within the company, the external auditor’s communications to the audit committee … and other internal and external sources of information or assurance.” The guidance goes on to say that “the board should satisfy itself that these sources of assurance have sufficient authority, independence and expertise to enable them to provide objective advice and information to the board.” Expertise is written in my italics: it ought not to be good enough for anyone to hold themselves out as a professional risk practitioner without having appropriate credentials. In my view appropriate credentials are rarely provided solely by dint of a qualification in another professional area.
Section 4 of the guidance provides some thought on the establishment of risk management and internal control systems. There is comparatively little that is new or innovative in this regard in this document. Section 5 addresses the requirements to monitor and review risk management and internal control systems. Most important in this section are the recommendations as to what an annual review of effectiveness should address. These include:
- Risk appetite
- The operation of the risk and control systems;
- The integration of risk and control with considerations of strategy and business model;
- Changes in risks and the ability to change in response to the external environment;
- Risk communications
- Issues dealt with by the board during the year; and
- The effectiveness of the reporting process to the public.
It will be up to the board to determine how this review is carried out. No doubt internal audit will often be the default choice. I would merely caution the board to consider the relevant domain qualifications, skills and expertise resident in their internal audit departments. Some will have it, others definitely will not and the board will have to satisfy itself that the right people are conducting the review.
Section 6 of the guidance addresses specific reporting requirements, which I do not propose to cover here, apart from the “Safe Harbour Provision in relation to the Strategic Report, Directors’ Report and the Directors’ Remuneration Report”. Directors will benefit from some protection from making misleading statements in these areas provided that they did not know that the statements were untrue or misleading and did not know that the omission was a dishonest concealment of a material fact. Again, this suggests to me that directors may well wish to engage with professional advisors to assist in the preparation of relevant information being provided to shareholders (and others) in these various reports.
Appendices A and B deal with Going Concern and the Longer Term Viability Statement respectively. I will address these in a subsequent note.
Appendix C provides some useful questions for the board to consider, and Appendix D sets out the relevant sections of the UK Corporate Governance Code and other regulatory provisions.
Conclusion: This document is far reaching in how it addresses risk management. Many companies are going to struggle to articulate their risk appetite or understand their risk culture with sufficient depth to make the concepts meaningful. I anticipate that boards will start to recruit “risk” non executives to their cadre and that we will see more risk board advisors emerging.
My key recommendation is that all boards should consider the content of this guidance carefully and take steps sooner rather than later to address any shortcomings in their current procedures.
You can view the document by clicking here
Richard Anderson is the principal at AndersonRisk. He is the Chairman of the Institute of Risk Management and was the principal author of their guidance on risk appetite and tolerance.