The FRC’s radical new approach to corporate risk management: A change is gonna come

Two guidance documents on the changes and how to respond to them are available here.
Also, some FAQs on the changes here.

In September, the regulator for UK corporate governance and reporting, the Financial Reporting Council, changed the UK Corporate Governance Code and issued new Guidance relating to risk. Reactions to the documents have been mixed. A recent though unpublished independent survey I have seen found that four in five corporate executives polled (though not using an unbiased sample) felt that the FRC’s changes would have little or no impact on their risk management approach. Most of them are wrong.

The original guidance, developed by a committee convened by ICAEW under the chairmanship of Rank Group finance director Nigel Turnbull, had survived largely unchanged since 1999. Heavily focused on internal control, the Turnbull Guidance was strongly influenced by the prevailing accounting logic of its sponsoring organisation. To confuse matters, a standard on risk management issued by the Australian and New Zealand standards bodies in 1995 (and subsequently globally, in amended form) adopted very similar focus and language from the conceptual source of both documents – the US COSO initiative; again, therein, internal control was paramount. But accounting is not risk management; internal control is not risk management.

The processes and routines that have emerged from 15 years of Turnbull-inspired risk practice have emphasized the qualitative over the quantitative. Firms have routinely identified risks using the same objectives–risks–controls logic of COSO, frequently through elicitation workshops. The results have been subjective assessments of risk events’ probability of occurrence and impact. And the more the merrier: many firms have ended up with registers containing literally thousands of risks. The emphasis has been on control-type approaches to assurance that the risk management approaches identified have been effected. Few technical risk skills have been needed to design or implement such approaches.

There are multiple problems with such an approach. First, accounting logics for completeness, valuation and classification differ from those that are useful for understanding and analyzing risk and uncertainty. Secondly, the existence of tacit objectives – analogous to tacit knowledge – means that no firms’ statements of objectives can reflect the full set of objectives that operate within the firm; behavioural and relational objectives are most frequently those left out of the mix. Subjective elicitation approaches can improve firms’ risk management temporarily through increased salience. However, despite the loud advocacy of risk proselytes, there is NO EVIDENCE that such approaches are sustainably effective over time. And there are plenty of reasons why they are not sustainably effective and are misdirective, misleading or offer false assurance.

In response to changing understanding of risk and firms’ routines for approaching risk and uncertainty, the FRC – heavily influenced by the report of the Sharman Inquiry into going concern statements – has issued a significantly revised risk guidance to accompany the changes to the Corporate Governance Code. While, at first blush, the document is not that dissimilar from earlier guidance, close reading of it reveals a radical re-framing of the regulator’s perspective of the corporate risk agenda. It is essentially a volte-face: the FRC now requires firms to augment or replace their historic, Turnbull-type, subjective approaches to risk elicitation with a far more robust, strategic and unambiguously quantitative approach to risk identification and analysis.

In relation to firms’ risk management, the key changes specified by FRC arise in the following areas:

  • Focus on risk and uncertainty in strategy
  • Risk appetite
  • ‘Culture’ and behaviour
  • Ongoing monitoring v. periodic review of principal risks
  • Longer term viability statement

The new FRC Guidance emphasises the strategic focus of the board’s consideration of risk and uncertainty and links this to the risks and the quantum of risk the firm wishes to assume and retain – the firm’s risk appetite. The FRC also underscores the board’s responsibility for ongoing monitoring of ‘principal’ risks – the risks that could threaten the viability of the firm.

The FRC also specifies that the firm should “determine . . . the desired culture” and ensure that “appropriate culture and reward systems are embedded throughout the organisation.” While the requirement is not operable as stated, the additional focus on behavioural systems in the firm is to be welcomed.

By far the most significant practical changes relate (i) to the requirement for listed firms to develop a longer-term viability statement that they must present in their annual report and (ii) the expectation that the viability assessment with be quantitatively framed and analytically robust. This is long overdue. In broad terms, it raises the level of analysis in risk to a standard expected of comparably sized asset managers. While methods will differ from portfolio risk approaches used by asset managers, the analytic discipline the new guidance imposes will assist corporate businesses to frame their risk efforts more constructively than previous guidance and should, over time, improve their management of risk. The approaches are sensible, coherent and appropriate. The FRC has done shareholders a considerable service.

The problem firms will encounter is that expertise to perform such analyses – of strategy, culture and quantitative analysis of risk and relating it to firm-level appetite, capacity and capabilities required for risk-taking and retention – is rare. For years, most professional advisory firms have been trumpeting subjective risk elicitation approaches – the very approaches the FRC is now saying are insufficient – as ‘best practice’. For a similar number of years, we have been arguing that that such claims are illusory and destructive of value; that firms should take a more analytical approach as a core element of their governance and that risk can and must pay due attention to behavioural routines in the firm. We are gratified that the FRC now agrees.

To help firms to understand and interpret the new requirements in the Code and Guidance documents, we have prepared two guides:

  1. A review of how we got here – why the changes are part of a well-established trend in governance in the UK, and
  2. How firms can and should respond to the FRC’s changes

These guides can be accessed through our website.

There is no doubt that, in the words of the great Sam Cooke (who was shot dead in Los Angeles 50 years ago last week), ‘a change is gonna come’ to corporate risk management. The changes present to firms a coherent and rational approach to objectivist and analytic risk management. They make sense and firms can use them to improve their decision-making, resource allocation and assessment of economic performance. Firms can either work to understand the changes and seek within them sources of advantage, or they can comply reluctantly, expensively and, probably, unproductively. The choice is yours.


4 thoughts on “The FRC’s radical new approach to corporate risk management: A change is gonna come

  1. Peter

    Who do you think recognizes that the model used for the viability statement could and should be one used for planning and overall risk management? Who sees any overlap at all between decision modelling and risk management when the FRC and others like the continue to portray risk management as an exercise in listing risks (and uncertainties)?

  2. Matthew, I know this was clear in the mind of the chairman of the committee that developed the FRC’s Guidance; Jim, for one, was very clear on the utility of such an approach. Unfortunately, his sudden (and wholly unnecessary) departure was another opportunity of the FRC taking clear aim at its own foot. I strongly suspect, also, that the relevant FRC executive director (who will remain nameless) has her head clearly around the point. But that doth not a movement make and doing things properly takes mental effort that repeating last year’s box-ticking waste of time does not. P

    • What a pity. The combination of good intentions and bad means is summed up by this sentence from the introduction to the Guidance: “Effective development and delivery of a company’s strategic objectives, its ability to seize new opportunities and to ensure its longer term survival depend upon its identification, understanding of, and response to, the risks it
      faces.” All is well until the phrase “identification, understanding of, and response to, the risks it faces.” That’s when the train falls off the rails once again. The sentence even begins with the unusually wise mention of developing objectives (which risk management guidance usually ignores). There is also some prose about RM and IC being ’embedded’ but within a page this has all been turned into another document on listing and managing risks which most will deal with using a risk register, High-Medium-Low, and so on.

  3. Well, we live in hope. The Committee drafting the Guidance leaned heavily (and wholly appropriately) on the findings of the Sharman Enquiry resulting in the excellent Appendix B to the Guidance. It may take a couple of years – possibly even longer – but eventually commercial reality and the superior utility of such an approach of the HML nonsense you rightly deride should, repeat should, win out. Certainly the CEOs and board members to whom I’ve spoken about these things, profess that they get it but I’m not sure it has resulted yet in any actions that would improve performance or resilience. Still, as I say, we live in hope. P

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s