Taking risks - and managing them

This article is based on the Arthur Andersen publication Positive Risk Management. The title is important as it aims to dispel negative attitudes and the myth that risk management is all about not doing new things and avoiding risk. In June 1998 the Hampel Committee and the Stock Exchange published the 'Combined Code' on corporate governance. The Code combines the existing requirements of the Cadbury Code on corporate governance with the requirements of the Greenbury Code on directors’ remuneration and adds some new requirements as a result of the findings of the Hampel Committee. Although Sir Ronald Hampel himself and subsequent press coverage have tended to present a 'no change' message, there are a lot of detailed changes which will have significant implications for most listed companies.

One of the new Code provisions which is likely to cause particular difficulty is the requirement for the review of internal controls to cover a wider range of controls rather than being limited to internal financial controls. This theme is repeated in the Exposure Draft (ED) of the new Statement of Recommended Practice on accounting and reporting by charities. Trustees of a charity will be expected to include a statement regarding the adequacy of internal controls. Arguably this should not cause a problem because trustees and management should be addressing these issues in the normal course of their duties.

The ED does not go as far as the recommendations of the Turnbull report for Public Listed Companies that was produced by the Internal Control Working Party. In this report the link between risk management and improved business performance is being acknowledged, for the first time, by governance regulations. The Turnbull report has some key messages:

• Risk management is the collective responsibility of the whole board.

• Directors need to review the effectiveness of internal controls on an annual basis, at least.

• The risks facing the business should be regularly evaluated.
• The review should include risk management, operational and compliance controls, as well as financial controls.

• The board is ultimately responsible for internal control, but may delegate aspects of the review work.

• Companies without an internal audit department need to regularly review the need for internal audit.

• Boards must report each year on how they maintain a sound system of internal control and whether they review its effectiveness and the need for internal audit.

Although there is no requirement for charities to follow these guidelines which are required for public listed companies my experience is that many trustees are taking the view that charities as public interest bodies should take heed of the recommendations. This means that they believe they should be reviewing relevant issues and making some statement in the trustees’ report on internal control and risk management.

The auditors' report does not cover other information contained in client-prepared documents, such as the trustees’ report. However, auditors should read this information and consider whether it is materially inconsistent with the financial statements. When an inconsistency or a material misstatement of fact is noted and the client will not correct it, auditors will need to consider whether they should expand the audit report, withhold the report, withdraw from the engagement or take other appropriate action. This means that the charity and its auditors must agree what can be said about internal controls and risk management in the trustees’ report.

While some charities may describe specifically what they have done, some may make a simple statement that they have 'established procedures'. The key point is that for companies to make such a statement auditors would expect them to be able to answer 'yes' to all the points below on whether the trustees have established procedures for these (numbers in parentheses refer to the Turnbull Report).

• Set policies (16) on internal controls which cover the following:
  • consideration of the type of risks the company faces;
  • the level of risks which they regard as acceptable;
  • the likelihood of the risks concerned materialising;
  • the company's ability to reduce the incidence and impact on the business of risks that do materialise; and
  • the costs of operating particular controls relative to the benefit obtained (17)

• Establish the responsibility of management to implement their policies and identify and evaluate risks for their consideration (18)

• Communicate that employees have responsibility for internal control as part of their accountability for achieving objectives (19)

• Embed the control system in the business's operations so that it becomes part of the culture of the business (22)

• Respond quickly to evolving risks to the business arising from factors within the company and to changes in the business environment (22)

• Include procedures for reporting failings immediately to appropriate levels of management, together with details of corrective action being undertaken (22).

Many people approach risk management from the downside. Here are a few assumptions and popular misconceptions about risk management.

"All I have to do is superimpose the Turnbull requirements onto what we’ve been doing for years."

Wrong. Retro-fitting the requirements of the Turnbull report onto old procedures will not work. Funders, donors and many regulators now expect charities to take a forward-looking approach to risk management – the essence of the new recommendations.

"Risk is just something for finance and insurance teams to worry about."

Wrong. Risk is everybody’s responsibility, from staff operating individual processes, right up to the chief executive and the board of trustees.

"Risk can be managed independently by each business unit manager."

Wrong. If risk management activity is not integrated or coordinated, operating units may be doing things that aren’t in the overall interests of the charity. Also, individual units need to be given the chance to compare and contrast performance to pinpoint where and how to improve.

"Risk comes up on the agenda just once a year."

Wrong. Risk cannot be planned for once a year because risk changes all the time. That is why risk management must be a continuous process to be effective.

"Good risk management is just another layer of unnecessary bureaucracy."

Wrong. Effective risk management should not involve painful effort. Bureaucratic procedures serving long-forgotten purposes will create risk. With the right mindset, risk management should speed up processes, not slow them down. It should enhance outcomes, not get in the way of them and it should be integral to core strategic and operating processes.

"I can leave my finance director to worry about risks."

Wrong. Top-level sponsorship is fundamental to the success of risk management. It should be on the chief executive’s top list of business priorities, if it isn’t there already.

"Risk management is about the downside, not about creating value."

Wrong. Charities need to be innovative and often need to take risks to create value for stakeholders. They are more likely to create exceptional value if they have strong risk management and explain how they manage risk.

"Risk is a compliance issue."

Right. But that’s like saying the purpose of wearing seatbelts is to obey the law. The laws are designed to protect well-being. Trustees and management should use risk management as an opportunity to help manage the charity better.

Risk management is not new; however, the approach to risk management has been changing fast in response to the quickening pace of upheaval and uncertainty in the world. We define business risk as the uncertainties an enterprise must understand and manage to achieve its objectives and execute strategies for adding value. Moving into the new century, risk management is:

• Forward-looking, trying to manage an uncertain future;
• open, with appropriate disclosure to enable all stakeholders to understand what risks are being taken;
• constructive, about opportunity management as well as disaster prevention;
• unified by integrating all business units, functions and managers and following a coordinated process which uses a common risk language;
• strategic, driven by business objectives, particularly the risks of adapting to the new business landscape;
• evaluated on a regular basis, not just an annual exercise, facilitating the flow of knowledge and information about risk across the organisation; and
• durable, structured to evolve continuously with changes in the business.

Looking ahead, risk management will become truly enterprise-wide in scope. This means that all functional, departmental and cultural barriers are eliminated and all of the critical components of business risk management are aligned to support the organisation’s strategy for creating value.

The benefits are compelling. To create exceptional value in today’s operating environment, charities need to take bold risks. To succeed, they are not required to take greater risks than others – they simply need to have a better understanding of what risks they can handle and how best to handle them. Occasionally they will fail. But charities with a good risk management process are likely to fail less often. Supporters and funders may be indifferent about specific models or methods but they will enhance their support for a charity if it is able to demonstrate it does a better job of managing its risks. The new challenges are:

• How to build an inclusive and coherent risk management process without being pulled in different directions by diverse groups and their different agendas.
• How to encourage a consistent approach so that risks are considered and managed coherently at an enterprise-wide level and in all business units and locations.
• How to introduce risk onto the daily agenda.

The important thing is that risk management should be seen as part of the process of running the charity and adding value. I hope and expect that charities will not lag behind the corporate world in making statements about risks and their control, as keeping stakeholders really informed is part of the all-important process of building relationships with them.