In September, the regulator for UK corporate governance and reporting, the Financial Reporting Council, changed the UK Corporate Governance Code and issued new Guidance relating to risk. Reactions to the documents have been mixed. A recent though unpublished independent survey I have seen found that four in five corporate executives polled (though not using an unbiased sample) felt that the FRC’s changes would have little or no impact on their risk management approach. Most of them are wrong.
The original guidance, developed by a committee convened by ICAEW under the chairmanship of Rank Group finance director Nigel Turnbull, had survived largely unchanged since 1999. Heavily focused on internal control, the Turnbull Guidance was strongly influenced by the prevailing accounting logic of its sponsoring organisation. To confuse matters, a standard on risk management issued by the Australian and New Zealand standards bodies in 1995 (and subsequently globally, in amended form) adopted very similar focus and language from the conceptual source of both documents – the US COSO initiative; again, therein, internal control was paramount. But accounting is not risk management; internal control is not risk management.
The processes and routines that have emerged from 15 years of Turnbull-inspired risk practice have emphasized the qualitative over the quantitative. Firms have routinely identified risks using the same objectives–risks–controls logic of COSO, frequently through elicitation workshops. The results have been subjective assessments of risk events’ probability of occurrence and impact. And the more the merrier: many firms have ended up with registers containing literally thousands of risks. The emphasis has been on control-type approaches to assurance that the risk management approaches identified have been effected. Few technical risk skills have been needed to design or implement such approaches.
There are multiple problems with such an approach. First, accounting logics for completeness, valuation and classification differ from those that are useful for understanding and analyzing risk and uncertainty. Secondly, the existence of tacit objectives – analogous to tacit knowledge – means that no firms’ statements of objectives can reflect the full set of objectives that operate within the firm; behavioural and relational objectives are most frequently those left out of the mix. Subjective elicitation approaches can improve firms’ risk management temporarily through increased salience. However, despite the loud advocacy of risk proselytes, there is NO EVIDENCE that such approaches are sustainably effective over time. And there are plenty of reasons why they are not sustainably effective and are misdirective, misleading or offer false assurance.
In response to changing understanding of risk and firms’ routines for approaching risk and uncertainty, the FRC – heavily influenced by the report of the Sharman Inquiry into going concern statements – has issued a significantly revised risk guidance to accompany the changes to the Corporate Governance Code. While, at first blush, the document is not that dissimilar from earlier guidance, close reading of it reveals a radical re-framing of the regulator’s perspective of the corporate risk agenda. It is essentially a volte-face: the FRC now requires firms to augment or replace their historic, Turnbull-type, subjective approaches to risk elicitation with a far more robust, strategic and unambiguously quantitative approach to risk identification and analysis.
In relation to firms’ risk management, the key changes specified by FRC arise in the following areas:
- Focus on risk and uncertainty in strategy
- Risk appetite
- ‘Culture’ and behaviour
- Ongoing monitoring v. periodic review of principal risks
- Longer term viability statement
The new FRC Guidance emphasises the strategic focus of the board’s consideration of risk and uncertainty and links this to the risks and the quantum of risk the firm wishes to assume and retain – the firm’s risk appetite. The FRC also underscores the board’s responsibility for ongoing monitoring of ‘principal’ risks – the risks that could threaten the viability of the firm.
The FRC also specifies that the firm should “determine . . . the desired culture” and ensure that “appropriate culture and reward systems are embedded throughout the organisation.” While the requirement is not operable as stated, the additional focus on behavioural systems in the firm is to be welcomed.
By far the most significant practical changes relate (i) to the requirement for listed firms to develop a longer-term viability statement that they must present in their annual report and (ii) the expectation that the viability assessment with be quantitatively framed and analytically robust. This is long overdue. In broad terms, it raises the level of analysis in risk to a standard expected of comparably sized asset managers. While methods will differ from portfolio risk approaches used by asset managers, the analytic discipline the new guidance imposes will assist corporate businesses to frame their risk efforts more constructively than previous guidance and should, over time, improve their management of risk. The approaches are sensible, coherent and appropriate. The FRC has done shareholders a considerable service.
The problem firms will encounter is that expertise to perform such analyses – of strategy, culture and quantitative analysis of risk and relating it to firm-level appetite, capacity and capabilities required for risk-taking and retention – is rare. For years, most professional advisory firms have been trumpeting subjective risk elicitation approaches – the very approaches the FRC is now saying are insufficient – as ‘best practice’. For a similar number of years, we have been arguing that that such claims are illusory and destructive of value; that firms should take a more analytical approach as a core element of their governance and that risk can and must pay due attention to behavioural routines in the firm. We are gratified that the FRC now agrees.
To help firms to understand and interpret the new requirements in the Code and Guidance documents, we have prepared two guides:
- A review of how we got here – why the changes are part of a well-established trend in governance in the UK, and
- How firms can and should respond to the FRC’s changes
These guides can be accessed through our website.
There is no doubt that, in the words of the great Sam Cooke (who was shot dead in Los Angeles 50 years ago last week), ‘a change is gonna come’ to corporate risk management. The changes present to firms a coherent and rational approach to objectivist and analytic risk management. They make sense and firms can use them to improve their decision-making, resource allocation and assessment of economic performance. Firms can either work to understand the changes and seek within them sources of advantage, or they can comply reluctantly, expensively and, probably, unproductively. The choice is yours.