There are a great number of interpretations as to what corporate governance and risk management actually mean, and how they should be implemented. Victoria Younghusband of Lawrence Graham and Simon Morris of CMS Cameron McKenna, regards the views of the UK Financial Services Authority (FSA) as an interpretation likely to be useful for more than just businesses in the financial sector.
The FSA is under a statutory duty to maintain financial sector market confidence. In trying to avoid damage to the sound standing of the UK financial system, it is particularly concerned about the conduct and collapse of organisations. The Authority does not look for a zero failure regime, because this would be unrealistic in the extreme. Not only would the FSA be setting itself up to fail, but any regime that implemented such an approach would be bound to strangle the ability of management to take responsibility, and would equally be bound to stifle an organisation's ability to innovate. As a guide, reasonable and comprehensive measures are likely to be completely acceptable, provided that the reasons for implementing each aspect of the regime are clear, fully documented, and revised regularly.
Guidance from the FSA includes a formal set of standards for the conduct of business, an emphasis on adequate resources, systems and controls, and a clear description and demonstrable process of the way that risks are initially identified and evaluated. It also emphasises the need for adequate systems and controls to be put in place alongside appropriate records. All of these things should be basic requirements for the corporate governance regime of any corporation, organisation or association.
Chris Spencer at Britannia Building Society said that, while corporate governance requires us to be more risk aware and to develop more effective solutions to our problems, from his perspective it is a dynamic process with cyclical monitoring. He believed that it would be easier to establish a good risk monitoring process if senior management saw corporate governance as a useful information and decision support process rather than as an overly bureaucratic process spiced with interventions from auditors demanding ever greater complexity.
Dynamic risk monitoring is a continuous activity that is necessarily influenced by change. Tension still lies between the proponents of the two perspectives. There are those who think that cyclical monitoring is good, such as those involved in process audit. Others who believe that risk monitoring should be continuous are usually involved in the corporate governance and risk management process itself.
Spencer also emphasised the importance of semantics in the management of risk and corporate governance. He explained that a misunderstood word or interpretation means that people may no longer be discussing the same risk. If a risk is not described correctly, the meaning of what is being discussed may be completely transformed. This may be enough to change the way the risk is treated. He had found that the best way to avoid this was to adopt simple categories, such as financial, compliance process or operations. He said that his organisation has applied these definitions with some success, but that potential users must bear in mind that each risk can only be placed in one category. If there is disagreement about the appropriate category then the risk has probably been defined incorrectly. Once the category has been determined, a known control can be applied to a known area.
Spencer believed that it was important to set the right tone inside the enterprise as a whole in order to build the first foundations. Corporate governance is not a bureaucratic or simple compliance initiative, but an enterprise wide process requiring management attention. If management understands this and is amenable to providing appropriate data, it will have considerable information and support on which it can base its long-term decisions.
A dynamic corporate governance and risk management process is quite simply a process by which an organisation, its staff and management can continually track risks. Any private commercial organisation is out to make money, so a risk without benefit is unacceptable. In most organisations, a benefit is simply a measurable financial reward. However, it is also important to recognise that governance is about controls for opportunity as well as danger.
While embedding a corporate governance framework or process is a matter of compliance, if the proposed process is not changed and does not attract suggestions in the course of its development and progress to the board for approval and sign-off, this could indicate several things. The board might not really understand its responsibilities or the benefits of the process - or the process may be already sufficiently robust, informative and useful.
One of the most effective ways to ensure that responsibility for governance and risk is accepted throughout the organisation is for the CEO to allocate responsibility to main board directors. These individuals will allocate responsibility to those reporting directly to them, who will write objectives, implement strategies and in turn allocate parts of the responsibility downwards. Thus the process of delegation continues throughout the organisation. This is particularly appropriate for monitoring, legal and compliance issues and for those who understand health, safety and environmental issues. Such people may not be senior managers, but they have a vital part to play in corporate governance and risk management.
The final level of the process lies in the overseeing. This is the responsibility of the risk management committee, and internal and external auditors. It brings accountability back up to board level and to the non-executive directors.
One aspect of the FSA's new guidance is that it expects clear roles and responsibilities from all concerned with governance and risk in an organisation. Where appropriate, an individual may be held accountable. Victoria Younghusband indicated the likelihood that company law will take a similar stance, with clear direction on statutory statements of duties. Company law is also likely to direct the board to act in the best interests of the company in all that they know, including the impact on the community and in the impact of business conduct.
It is therefore important that the board is satisfied as to the competence of staff throughout the organisation. It is no longer possible to use ignorance of an aspect of employees' work as a reason for not managing risks. While managers may not know as much detail as those they manage, their supervisory responsibilities demand some understanding. Younghusband indicated that the FSA now requires management to be 'satisfied on objectively demonstrable grounds as competent individuals'.
One participant suggested that a board's wish to know that things are going right could present problems. "There seems to be almost a death wish, with boards wanting to know so many details that they are flooded with information and can't easily spot underlying trends." Morris thought the best solution to this was a filter. Information should not go straight to the board without review and consolidation. If a daily 'dashboard' is produced at lower levels, such as for the head dealer, back office, operations and similar levels, these individuals can be trained to interpret the dashboards, understand what they mean in detail and be empowered to act on immediate problems. Such dashboards can then be consolidated to something more appropriate for board consumption. The reason why this system is not more commonly used is not that boards do not want this approach, but rather that nobody else in the organisation is prepared to start it.
However, even ignoring the problems of comparing different risks or risk indicators with different cycles that change at different speeds through the day, week or month, such dashboards are useful only for comparing what is expected to what occurs. While predictability, or lack of predictability is a valid aspect of risk management and therefore governance, it does not tell the whole story. Early warnings of departure from the norm may be missed. For example, following the Paddington rail disaster, it became apparent that BR and Railtrack had been warned several times of the difficulty for drivers of seeing signal 109 , and this early warning was ignored. Identifying risks and controls of this nature can be achieved with a good and well-understood control self assessment (CSA) process.
Spencer concluded his presentation by saying: "The implementation of this process can only be successfully achieved by understanding the 'why' and practising and coaching in the 'how'. I truly believe that this is not the responsibility of a separate risk management or audit function, but a senior management responsibility. Senior management should seek to develop a dynamic corporate governance and risk management process to gain assurance that what happens in the business is consistent with achieving business objectives". He explained that the way senior management does this, must depend on their organisation's requirements, current skills, organisation structure and culture.
A common theme throughout the conference was that, if organisations outsource the implementation of all or part of the corporate governance and risk management process, it is vital that the process is tailored to the requirements of the organisation concerned. It was also agreed that, whatever the situation, the risk manager should integrate the governance and risk management information into the current management information and decision support structure.
All concurred that identifying the risks and simply reporting them does not help an organisation, and that any decision as to the appropriate way to manage a risk must be implemented and reviewed. It is also not sufficient merely to decide on what to do with the inherent risk. Residual risk and retained risk must also be considered.
The key message of the conference was that corporate governance and risk management are the responsibility of the entire organisation. It is necessary to understand the controls, functions and processes of an organisation and summarise them effectively, looking for or indicators that a risk may occur. An organisation that fails to understand this can be likened to one that builds its foundations on a river estuary. The building may look fine for a while, but in the end it will sink into the mud or be overwhelmed by a commonplace deluge.
Carole Edrich is a freelance journalist
One of BAA's challenges was to be sure that they were picking up the inherent weaknesses of their systems and processes. They faced this by implementing control alignment. However, since there was such a short time available to achieve so much in terms of control and risk assessment, and since it was known that even within the organisation, the environment and culture varied, it was reasonable to assume that the governance and risk management approach should also vary.
They could either spend a huge amount of time and resources deriving and checking risks and controls or help each organisational unit implement CSA. They found that CSA helped them get a consistent form of coverage, so that they could then focus on the most exposed business areas. CSA was supplemented by questionnaires, a good research department, knowledge of historical strengths and weaknesses and the ability for each unit to write a commentary as part of its CSA submission.
During the implementation of CSA, it was necessary to focus on three areas: fit to culture, the extent to which the audit department could use it, and whether the business was ready for it. BAA believed that the only way to implement such an exercise was by supporting the business units, and this responsibility fell to the internal audit department. BAA also implemented the IT Governance Maturity Model to provide management with tools to measure how well their departments' IT was governed.
John Mitchell of LHS Business Control said the real drivers for the implementation of corporate governance had little or nothing to do with Turnbull, but had come about because everyone in business should be trying to prevent loss. Governance, risk management and associated controls are set up to try to stop the loss occurring, to minimise it if it does occur and to prevent it happening again.
Once management has accepted its responsibility and the benefits, it is important to undertake a clearly defined exercise. This means answering six questions: