Corporate Governance, risk and control: why there is still a long way to go
By Steve White, Director of Risk Assurance, PricewaterhouseCoopers
Corporate governance is about doing the right thing. It is about ensuring that an integrated network of controls, policies, structures and behaviours is used ensure the proper control and direction of an organisation both in the short-term and the long-term. It is primarily the role of internal auditors and risk managers, plus for example, HR, security, business continuity etc (i.e. an organisation’s ‘custodians’) - to ensure that good governance is observed.
From the ‘top-down’ (strategic) viewpoint Enterprise Wide Risk Management (“EWRM”), if properly applied, should provide a sound platform for good corporate governance by effectively binding together the key factors of: strategic planning, budgeting/financial control, internal controls, operational management and people development.
However many readers will appreciate that true EWRM is still only be found in a minority of organisations and accordingly, whilst I will return to the strategic view later, I want to spend most of this article discussing the alternate, bottom-up (tactical) view of corporate governance. Specifically I want to advocate a view that at this level there is a need for all custodians to challenge themselves as to whether they are properly identifying risks and thoroughly assessing controls for, in my own experience, it is by doing just that that those custodians begin to gain real credibility with boards and audit committees.
When a risk is not always what it seems
Most organisations now recognise the need to undertake risk assessments and most also recognise that these risk assessments are applicable across all aspects of operations, not just based around the traditional audit areas of financial reporting. However it can often be the case that risk assessments actually fail to identify real risks, with the result that subsequent attempts to mitigate those risks are inherently ill-focused and potentially a mis-use of scarce corporate resources.
So what is a “real risk”? Well, one should always seek to ensure that any given risk is described in two parts i.e. that it contains both a cause and an effect. Or to put it another way, the proper wording of a risk should explain what ‘current situation’ might lead to what possible ‘future risk-event’. For example, risks are often described merely as statements of fact (“This project is complex”) or fail to describe the cause of the risk (“We will lose sales in this new market”). But as described, these are not real risks and their mitigation is unclear. However when a risk properly sets out both a cause and effect its mitigation becomes clearer and much more focused because that mitigation is aimed properly at the ‘cause’, and not the ‘effect’, of the risk, as can often be the case.
Thus real risks might be described as: “We have inadequate technical skills to deliver a project of this complexity” or “Unless we overcome problems in product supply we will not meet our sales targets in France”. Risks described in this manner make it much easier to see where the need for action is required i.e. lack of technical skill or problems in the supply chain. And if these seem like over-simplified examples, I have seen even simpler ones in reality many times.
The other advantage of being able to focus mitigation where it really bites is that because much effective mitigation relies on sound internal control, the ability to assess a control environment from a crisp and direct risk management perspective is not only good practice but a key element in, for example, planning relevant and value-added internal audits. However, how effectively those audits are actually delivered raises another area of challenge to ways of working, a challenge to ways in which internal controls are assessed.
An internal control or an open door?
A truly rigorous assessment of internal control depends on true scepticism when testing those controls. Helpfully, it’s useful to look at controls from the point of view of an ‘opponent’ i.e. the person or entity (be they competitors, hackers, hostile bidders etc) seeking to abuse certain controls in order to pose a threat to an organisation. The key question for those assessing the effectiveness of internal control is not: “How can I ensure that this control works” but rather: “How can I get round this control?” whether it be by stealing passwords, forging signatures, setting up bogus suppliers, submitting false CVs etc.
This approach to assessing internal controls can be usefully supplemented by training, which is particularly effective when it draws on real examples of control breaches, often stemming from frauds and breaks in security. So whilst it is fair to acknowledge that there are many experienced internal auditors, risk managers and other custodians who are thoroughly aware of the need to be sceptical (and who indeed apply that scepticism more often than they might be given credit for) it remains the case that any general level of healthy scepticism can always benefit from being refreshed through, for example, external training.
One of the commonly cited examples of this approach to control-assessment is pre-employment screening (“PES”), the absence of which should ordinarily drive operational risk higher across an organisation. And whilst most recruiters, HR departments etc are increasingly aware of the value of some form of PES (especially as workforces become more mobile and geographically widespread) and can apply it themselves, at a deeper level this good risk management through sceptical control assessment may require further, expert, knowledge e.g. of degree mills (“universities” which simply sell qualifications), non-existent Oxbridge colleges, mailing lists masquerading as memberships of august institutions or applicants of a certain age who should have O-levels rather than GCSEs.
Moving beyond the mainstream
Remaining with the bottom-up approach towards good governance, there is another aspect of control behaviours that is worth addressing, namely how the presence good governance in any area of operations will tend to improve governance per se across that organisation by improving the ‘culture of compliance’. For example, there are numerous industries where health and safety is paramount (e.g. oil/gas, chemicals, food production, construction etc) and that culture of H&S compliance tends to lead to good compliance throughout all areas of operation. The relevance to internal auditors in particular is the increasing extent to which they are being asked to assess control compliance in many areas of operations which have been traditionally outside their mainstream.
A current example is improved attitudes to sound environmental processes that result from an organisation seeking compliance with the ISO 14001 Environmental Management Standard. In and of itself environmental compliance is beneficial in direct terms of legal assurance, improved efficiency energy use and waste reduction, but the good behaviours incumbent in doing the right thing environmentally are bound to have an impact in other areas of an organisation as it becomes more culturally familiar with the importance of complying with processes per se. This is a legitimate area for internal auditors and risk managers to add value through independent assessment.
The other corporate advantage of improved good operational compliance of this type is that it occurs in parts of an organisation where the idea of compliance and being internally audited are less familiar e.g. on the shop-floor. Similar benefits arise from many other areas of operational compliance such as: business continuity planning, fraud risk management, information security etc which are all increasingly familiar to internal audit and operational risk management.
Value in looking down from above
At the strategic (top-down) level risk-management can, if applied in the correct manner, deliver particularly real and lasting benefits to the board. The essence is to start with an organisation’s long term business plan and the key objectives within that plan. With these in mind a risk identification process can be undertaken whereby the board, for example, is asked to consider what might prevent the organisation from being successful. There are actually some benefits in not even mentioning the word ‘risk’ - which can have negative connotations and may fail to draw out thoughts otherwise not revealed.
Once reviewed and moderated these considerations can be then set out as draft risks, (using the cause and effect approach) for discussion with the board as a whole. It is at this point that the power of this approach is revealed because each risk should relate to at least one business objective and vice versa. However in my experience this is not always the case i.e. objectives sit with no risks identified against them or there are categories of risks which cannot be easily applied to any objective. Situations such as this raise a number of interesting possibilities: Either:
• Not all risks have been identified – not an uncommon situation on the first run through of any risks assessment which is often an iterative processes. Or even more interestingly;
• Not all the corporate objectives are valid – which means there may be need to re-assess the organisation’s long term plans from which those objectives stem.
This approach sets the basis for sound corporate governance through a high level risk analysis properly reconciled to an organisation’s objectives. This provides a platform for a rigorous audit universe of relevant business processes and a good understanding of which of those processes should be acting to mitigate which key risks.
In conclusion
All stakeholders will ultimately benefit from being part of an organisation that is run efficiently, legally & ethically; but which also has a risk-appetite for future success. The challenge in good corporate governance is ensuring that the need to maintain control today is reconciled to the need to achieve, develop and change long term strategic objectives, and especially that they remain reconciled over time as distractions inevitably arise. It is my view that real risk management, allied to properly sceptical control assessment, are essential for this to be achieved.
November 5th, 2007
| 
