|
|
Thursday, 25th April 2024 |
| Risk and controls reporting - can you see the risk wood for the compliance trees? |
Back |
| The onslaught of new regulations and corporate governance requirements such as Cadbury, Turnbull, and Higgs, as well as Sarbanes-Oxley and Basel II, are causing companies to suffer from compliance fatigue. The symptoms of this condition include an inability to see beyond complying with the next initiative, and a desire to stick simply to the letter of the law in applying governance recommendations, writes Conor Griffin. To overcome this, companies need to achieve real control of corporate governance, which requires direct and active involvement at the highest level. |
The long and winding regulatory road
For more than a decade, a steady stream of regulation and guidance addressing corporate governance has emerged from various sources. Names such as Cadbury, Turnbull, Higgs etc, are readily associated with a progression of measures designed to ensure that businesses achieve high levels of transparency and disclosure, and to ensure that their organisations are well-positioned to identify and manage risk. In addition, many companies have been involved in the considerable efforts (and expense) that Section 404 of Sarbanes-Oxley imposed with regards to evaluating and disclosing the integrity of financial reporting controls. Basel II compliance has also required banks to build and embed a risk management structure which imposes yet another set of internal control processes. But for many the experience of Basel II and Sarbanes-Oxley has raised awareness of a number of gaps and deficiencies in documentation, reporting systems and controls.
Suffering compliance fatigue
With this high volume of regulation and guidance, it is perhaps not very surprising that some organisations have experienced the onset of what might be called compliance fatigue. The symptoms of this condition include an inability to see beyond complying with the next initiative, and a desire to stick simply to the letter of the law in applying governance recommendations. This reaction, though understandable, is a pity. Because, by looking beyond the immediate impact of regulation, companies could be in a position to investigate at a more fundamental level the opportunities that are available from taking a close look at the controls and risk management processes that they have in place. Regulation if used in the right way can, in fact, act as an enabler of much broader and deeper benefits across an organisation.
Don’t simply create controls; take control
One of the outcomes for some businesses that have undertaken the review of financial controls demanded by Sarbanes-Oxley, has been the ‘rediscovery’ of disciplines and controls that may have been temporarily neglected. They have realised that many of these disciplines, such as consistency, improved coordination and codification, are worth having because the overall business control that they generate is directly correlated to superior management capabilities. In fact, some businesses that have not been compelled to implement a Sarbanes-Oxley programme have elected to carry out a partial exercise based on its demands in order to identify areas of control weakness and take the necessary remedial steps.
What these experiences show is that there is a significant gap between having the ‘right’ controls in place, and having real control. Controls per se are only doing their job if their combined effect is to provide real control over the business. To create control, a mindset is needed, from the top down, that sees the review and implementation of relevant controls as a genuine opportunity to create a well-managed business, that operates with a clear understanding of its risks and has the management of those risks embedded in its core. And that means much more than conforming to minimal standards or complying with regulations by ticking boxes.
The focus on control processes and functions should prompt senior management to review their fundamental approach to risk management. Effective risk management resides in the DNA of the organisation. It needs to be a built-in organisational capability or reflex, rather than a series of measures that are bolted on to an existing structure. And to achieve such embedded risk management means starting at the top.
How do organisations begin to understand their own appetite for risk, and how can this be managed and communicated throughout the business? Rather than asking about the organisational arrangement of risk and control reporting, senior executives need to probe how effective it is. Does it help the business to make better decisions and to improve its performance? Does it provide real control within the business, so that everyone understands the expectations on them, and the types of behaviours that are acceptable in their specific role or business unit?
Senior management needs to begin asking questions that identify how risks are being taken within specific business units, and how consistent those risks are with an overall appetite for risk within the organisation. The board needs to understand the level of risk that is acceptable to investors and then communicate that effectively so that the business is able to deliver to those expectations. By creating control with the appropriate mechanisms and reporting functions, the board is able to capture a clear and measured view of risk within the organisation that others are able to act upon.
Seeing the risk wood for the compliance trees
One unarguable impact of the stream of reform over the last decade and more has been to demonstrate unambiguously where ultimate accountabilities lie within a listed business: the board. Directors, both executive and non-executive, must understand their own accountabilities and the questions they need to ask (and who they need to ask them of) in order to discharge those accountabilities effectively.
So, to be able to respond to and influence the boardroom it is imperative that directors take steps to understand the sources of assurance available to them, and how these can be optimised to maximise their understanding of how risk and control operates within the business.
A whole range of corporate assurance functions has emerged within the business organisation, each of them designed to gather and report information that can provide assurance to business stakeholders. In a typical organisation, these include internal audit, quality management, health and safety, legal, compliance, treasury, as well as specific programme and project reviews.
Each of these functions reports (or has the potential to report), directly or indirectly, to the board. In many cases, therefore, it is not a question of too little information. Instead, it is the quality and relevance of the information that needs to be right. In other words, it’s not the number of conversations that counts. Only the quality of the questions asked and the relevance of the answers given in response determines a director’s ability to develop a holistic picture of the risks the business is taking and how these are controlled and managed.
The quality of assurance information, and how effectively this is communicated, is directly linked to business confidence. Rather than an overlay on the existing business activities, effective assurance is embedded within it. Assurance, in fact, is itself a key business process. And just as it is the case with other key business processes, it needs to be carried out as effectively and efficiently as possible.
Directors are spending an increasingly large proportion of their time sitting on committees and attending to governance-related issues, time that they can ill-afford to spare. By questioning the efficiency of the current organisation, gaps and deficiencies as well as duplications can be identified. The result of their investigations should provide the opportunity to create a leaner risk and controls reporting framework that not only provides more robust and relevant assurance, but frees up valuable senior management time.
A new focus for Internal Audit?
There may be a key role for Internal Audit to play on behalf of the board and Audit Committee in delivering this new capability. But it is likely that this role which is significantly different from Internal Audit’s traditional remit and skills base will require a realignment of resources and skills and the active engagement and sponsorship of board members. The skills and knowledge required to provide assurance around complex areas such as those impacted by Basel II, in particular, will prove challenging for Internal Audit functions.
Achieving real control requires direct and active involvement at the highest level. Rather than taking a step-by-step approach, senior management needs to view the challenges as a continuum. Having control from the top of the organisation – and being able to communicate effectively to investors and stakeholders that you are in control – is much more than a regulatory-driven activity. It is a fundamental expectation on all businesses. |
Conor Griffin is a senior manager with Ernst & Young’s Risk & Advisory Services practice. The material in this article is provided for general information purposes only and does not constitute professional advice.
|
| Article appeared in the April 2006 issue.
|
|
|
