Working In Uncertainty
The crisis in management control and corporate governance
by Matthew Leitch, first published 23 November 2002 (updated 6 January 2003 and 9 September 2003).
Introduction to the crisis and revised questionnaire
This document explains in plain language why certain risk management methods often adopted by major organisations in the UK and elsewhere in response to growing regulations on corporate governance and internal control have proved largely ineffective and time wasting in practice. This is not the result of incompetence or dishonesty; it is simply that requirements have increased and at the same time experience has shown that the techniques generally thought appropriate when first proposed do not work very well.
Since the first version of this questionnaire became available on the Internet I have received many e-mails from people around the world saying how good it is, and how challenging. Although I had initially intended it to apply to UK listed companies only, feedback shows that people in the public sector and in other countries with different regulatory requirements think it is powerful test and easy to understand.
This web page gives you information and insight that will help you decide if your own company has a problem with risk management, and whether to act on it. There's a detailed evaluation checklist so if you know what risk management is and just want to get ammunition or see if your own processes pass the test, skip the next section and go straight to the diagnostic questions. Alternatively, if you want to understand the UK background to the current crisis and read a description of risk management in corporate governance in plain English, carry on reading from here.
UK background to the crisis
In 1992, following a series of high profile corporate frauds and accounting scandals, the London Stock Exchange introduced new regulations covering various aspects of corporate governance such as who could be a director, what committees the Board of directors should have, and what steps they should take to ensure their company's accounts could be relied on and their assets were safeguarded. These new rules were based on the Cadbury Committee's Code of Best Practice for the financial aspects of corporate governance and applied to companies listed on the London Stock Exchange.
At around the same time a highly influential document was published in the USA, written by accountants Coopers & Lybrand for the Committee of Sponsoring Organisations of the Treadway Commission, and called the ‘COSO framework’. Accountants and auditors had for years been using the term ‘internal controls’ to refer to things people do in organisations to check for, or prevent, errors and fraud, particularly where they affect money and other valuable assets, and accounting.
The COSO framework took the traditional concept of ‘internal controls’ and pointed out that internal controls had to provide protection against risks (i.e. bad things that might happen) and that those risks would change over time, so organisations would have to monitor their risks and change their internal controls to meet their changing risks.
So, one of the things that companies started doing to meet the Stock Exchange's requirements was to get senior executives together in workshops to identify risks and think about what they were doing about them. The results of these workshops were written down and called ‘risk registers’ or ‘risk maps’. Typically, participants in the workshops would call out risks they thought of and the group would then rate the risk for its ‘likelihood’ and ‘impact’ and say what was being done about the risk and what more, if anything, needed to be done.
These workshops came to be called ‘risk management’ and, in theory, complemented more rigorous work on buying insurance for the company and calculating its exposure to financial risks such as currency fluctuations and outstanding debts. Banks have more complicated calculations to perform and need systems to provide daily risk statistics.
Proponents of this kind of process argued that it was good for companies and they should not even need the Stock Exchange's rules as motivation. They argued that the workshops should be carried on down through the levels of management in a company as something sometimes called ‘enterprise risk management’.
Another common response was to introduce a regular procedure where managers throughout the company had to sign documents saying that they thought the internal controls in the part of the business they were responsible for were adequate. This is usually called ‘control self assessment’. Often, this documentation would be the output of a workshop.
The original rules have since been revised and the current UK rules are within the Hampel Committee's ‘Combined Code’, with the requirements on internal controls being explained and interpreted in the ‘Turnbull guidance’ issued by the Institute of Chartered Accountants in England and Wales. Now UK listed companies have to evaluate their internal controls covering all types of risk, and not just the risk of incorrect accounts.
It is not surprising that risk workshops in most companies today are using methods and models that fall far short of the best available risk analysis and management techniques. The most common techniques were inspired by notions of risk and analysis used by accountants and auditors, which are non-mathematical and crude compared to styles of risk analysis developed in safety management, medicine, insurance, banking, investment, artificial intelligence, mathematics, and public policy analysis.
The Sarbanes-Oxley crisis
More recently Enron and then Worldcom collapsed, and yet more corporate scandals came to light causing outrage around the world. In the USA the Sarbanes-Oxley Act of 2002 was enacted very quickly to put in place a range of new laws to make such scandals less likely. Included in this Act were two very interesting new requirements concerning internal controls, including the risk management processes that are supposed to keep internal controls up to date. Section 302 effectively forced SEC registered companies (including UK companies with a listing in the USA) to evaluate the effectiveness of the internal controls over any information they issue to the capital markets and publish the conclusions of their evaluation. Section 404 added a requirement for an annual assessment of the effectiveness of internal controls and procedures specifically for financial reporting, which must be published and attested to by the company's external auditors.
In other words, for the first time, in most cases, the effectiveness of internal controls was to be audited and publicly reported. It may surprise you that this had not been required before. Surely external auditors were already doing this? Well they weren't. Under the UK's Combined Code companies have to describe the procedures they have followed to evaluate their internal controls and external auditors have to confirm that what they say is true. If a company's procedures sound reasonable when described in very general terms the regulations are satisfied. There is no pressure for the procedures to be effective and no requirement for external auditors to comment on the effectiveness of internal controls. Therefore, the Sarbanes-Oxley Act was a great change for UK companies that also have a listing in the USA.
The requirements of sections 302 and 404 didn't come into force immediately. The Act called on the SEC (the regulator of financial markets in the USA) to introduce rules to enact the requirements of section 302 and 404. Section 302 came into effect almost immediately, but did not require external auditing. The more controversial section 404 requirement for external audit was delayed after lengthy consultation on more than once occasion but now applies to large companies with shares listed in the USA.
The key point is that companies affected, in theory, now need to have an effective method of risk management in place if they are to avoid great embarrassment, and the indications are that many do not have an effective approach because of technical flaws in top-level risk assessment and management.
I say ‘in theory’ because in practice the true effectiveness of risk management workshops, risk registers, and the associated reporting has not been put to a proper test. The auditors who do the evaluations are simply happy to see the methods they believe should be in place, despite their obvious flaws.
But, this could change at any time. All it would take is one influential scandal or a growing trend for critically reviewing risk registers and the game would be up.
The management control crisis
At the same time, the global economy slowed and many companies that thought they were heading towards huge profits now found themselves in trouble. The worst affected companies include those linked to the internet (such as computer, software, and telecom companies) and companies linked to air travel.
Companies in difficulty are less able to absorb unexpected problems and desperately need to grab every good opportunity to improve their situation. Unfortunately, the style of management control that has become almost ubiquitous in developed countries since the mid 20th century does not perform well. Budgets and scorecards are supposed to provide management with a control mechanism that works like a thermostat, or collection of thermostats. Management set targets and the control system measures actual results and feeds back the difference between actuals and targets as a spur to action to reduce the differences.
This simply does not work well in practice for a number of fundamental reasons. Most importantly, problems have to affect a company's results before action is taken, which is too late, while opportunities are often ignored altogether because they do not give rise to variances.
Risk management involves looking ahead for things that might happen and taking action in advance. In principle this is clearly an important part of a better approach but so far what most companies have been doing is not frequent or effective enough to work properly.
This questionnaire gives a number of diagnostic questions for you to consider. It is in three sections. If your interest is mainly in whether your existing process has flaws which may be challenged by an external auditor you may prefer to complete only Section A. If you are also interested in whether risk management is doing something useful for your company take the time to complete sections B and C also.
You can print it off and write your answers in pen, or complete it on screen and print when you have finished. There is a button at the very end that will produce a convenient summary of your answers that you can be Copy and Paste into a word processor or e-mail. If you leave this page before printing you will lose your work, though you can go Back to it from the summary page.
It doesn't matter if you are not sure what the answers are in some cases, but these questions work best if you have a copy of a recent risk register from your company and written procedures for the risk management process to hand so you can check it for evidence of various faults. Each point is explained in practical terms so that you can make up your own mind as to how serious the problem is if it exists in your company.
The questionnaire is completely confidential. Your answers are not sent back to me or anyone else so if you don't print them off they're gone. If you use this diagnostic I don't expect you to let me know your results, but I would be very grateful if you could at least let me know you intend to use it so I can see that something is happening. I will keep the fact that you have used my questionnaire confidential. Send me a quick e-mail at firstname.lastname@example.org.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Please share: Tweet
Words © 2002 Matthew Leitch.