Richard Eddolls, Head of Platforms, Corestream, looks at the implications of last year’s updates to the Financial Reporting Council’s Corporate Governance Code, with regard to board-level responsibilities for risk management.
In October last year, the Financial Reporting Council (FRC) published its latest changes to the UK Corporate Governance Code. Geared towards ensuring that UK-based businesses identify and manage risk properly, the code affects all those listed on the LSE. But a year on from the publication of this new code, are businesses taking it seriously and what can they do to demonstrate that the measures they have in place are both appropriate and effective?
There’s no doubt that risk management has become a primary consideration in terms of meeting corporate governance objectives over recent years. Increasingly, investors and regulators expect business leaders to be able to identify the principal risks to the business, to articulate how these risks are measured and managed, and to explain how their strategy fits with the organisation’s culture and appetite for risk.
Adding value is fundamental to business success, but any attempt to create value also brings the risk of miscalculation and this is where many businesses fail. Failure happens as a result of either an inability to understand the risks that they face or an inability to manage these risks correctly. Put like this, it’s evident that effective risk management is key to long-term success. Yet businesses have to confront the same challenge the world over. Continuous change combined with new technology, new markets, and greater competition has increased both the rate at which these threats emerge and their potential impact.
Unfortunately, most British businesses are still poorly placed to comply with the new standards. Back in September 2014, Deloitte reported: “for the majority of businesses, especially those in less regulated industries… the adoption of these changes will represent a significant challenge.”
Fast-forward a year later, and Deloitte found that “many [organisations] do not yet have a risk process in place that goes sufficiently beyond the identification of principal risks. The detailed work required to really understand these risks, how they are being mitigated and monitored and whether the risk profile is changing, is often either absent, or currently happening in an uncoordinated way… there is also limited integration of the risk management process into key business planning and decision making processes.”
So what does the FRC’s UK Corporate Governance Code entail? Previously it stated that the board of directors is responsible for maintaining sound risk management and internal control systems, and that these systems should be reviewed at least once a year. The new code takes this considerably further:
• Assessment of Principal Risks: Directors must carry out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. They should also describe those risks and explain how they are being managed or mitigated.
• Monitoring of Risk Management and Control Systems: The board should monitor the company’s risk management and internal control systems, and review their effectiveness at least once a year. Monitoring and review should cover all material controls, including financial, operational and compliance controls.
In essence, the directors of any company wishing to comply with the code must put in place a single, comprehensive process for risk identification and management, which is continually monitored and subject to regular review. Furthermore, they will need to explain what action has been taken to remedy any identified failing or vulnerability.
Meanwhile, updated auditing standards require external auditors to state whether they have anything to add to the board’s statements on principal risks and the results of their reviews. Therefore, internal controls, monitoring tools, and reporting structures need to be clearly evidenced or demonstrated to satisfy the auditors that adequate measures are being taken.
While companies with a premium listing on the LSE are subject to the code it nonetheless represents best business practice, and as such it is reasonable to expect that a more comprehensive and integrated approach to risk management will come to be seen as the accepted standard for well-run companies. With this in mind, what should forward-thinking businesses be looking to do?
There is no off the shelf-solution to this problem – technology, people and process must be considered in equal measure. From a technology perspective, solutions provide a platform for centralising risk management across the organisation, together with a range of sophisticated tools that allow for maintenance and review of risk registers. This brings a number of benefits:
• Risks can be linked to internal controls, mitigating action plans, policies and processes, enabling the company to demonstrate what is in place to manage or mitigate risk.
• Periodic or recurring reviews of risks and controls can be initiated automatically, ensuring that the system is properly maintained and regularly updated.
• With all content in one place, reporting is automated and efficient. Reports are in real time; and it is straightforward to identify issues that really need attention, and whether particular risks or risk types are causing concern across the business. It helps solve the data problem.
Remember: technology is an enabler rather than a solution. Poor risk management is principally a matter of people and processes, and acquiring a set of new tools won’t change this. However, once underlying problems have been addressed, technology allows risk management to be more coherent and efficient, and much less onerous.
At the end of the day, the FRC’s new standards provide an opportunity for improvement. Embedding risk management within the organisation, and ensuring that it is integral to planning and decision making processes makes sound business sense. It will focus business leaders on the company’s core, value-adding operations and encourage them to deal pro-actively with risk. It will produce better quality, more timely management of information, which will in turn result in better business decisions and an organisation that is both more cohesive and far more responsive to change.
By Richard Eddolls
Head of Platforms
Corestream
http://www.corestream.co.uk/