Tuesday, May 17, 2011

Should the Big-4 be Broken Up?

See the BBC news item story here about an OFT review of the Big-4: See here.
My view? External audit is now largely out-dated. The binary nature of the opinion renders it useless and instead of focussing on backward looking KPI’s (aka “the accounts” or “financial report”) it is time we moved on to a more meaningful method of providing assurance to external stakeholders.

Of course this is not just a UK problem, and there probably is not a good way yet of dealing with this on an international basis.

Saturday, May 7, 2011

Risk Appetite and Risk Tolerance

The Institute of Risk Management released a consultation paper on Risk Appetite and Risk Tolerance this week. The paper can be found here. I know that there is a wide divergence of views on risk appetite, ranging from outright hostility to making risk management any more complicated (a subject to which I will return in due course) and firm support for the development of thinking in this area. Personally, I believe that it could be a turning point for making risk management an important tool in the management of our organisations.

The paper has been prompted in part by the Financial Reporting Council’s new UK Corporate Governance Code. I am also finding myself debating risk appetite with more and more clients, all of whom are looking for practical and meaningful ways of implementing risk appetite as the next step on their risk management development. In this paper, we have sought to pull together some of the existing thinking in this area, and we have also sought to inject some fresh ideas. Both the IRM and I would greatly welcome your feedback.

I am very conscious of the fact that the document is framed in the context of the UK Corporate Governance Code: it therefore could appear to be (a) UK-centric and (b) only relevant to listed companies. In fact I think it is entirely transferable anywhere in the world and is as relevant to small private organisations and those in government and the third sector as it is to large quoted companies. However, I acknowledge that it will take some interesting further development to stretch the ideas to fit all organisations. But if we keep in mind that the aim is to develop helpful guidance, rather than develop yet another tick-in-the-box approach to governance, we should be able to do that!

The link (http://www.theirm.org/publications/risk_appetite.html) will take you to the IRM website and on that webpage you will find two further links: one for the Executive Summary, and one for the full document (which also includes the Executive Summary). To badly misquote George Bernard Shaw: we could not write a short document until we had written a long one. I hope that this represents a helpful contribution to the debate about the board’s responsibilities for risk appetite and risk tolerance. I do not think that we have written the last word on the subject, but rather I hope that we have set the debate going.

The IRM is circulating this document widely and would very much welcome your views. Does it provide useful guidance to organisations in defining their risk appetite? Does the approach make sense? What is missing? What would you remove? We would very much like to hear.

Please feel free to circulate the document widely within your organisation and then to forward any comments to Carolyn Williams, Head of Thought Leadership at IRM on carolyn.williams@theirm.org by Tuesday 31 May 2011. Needless to say, I am also interested in hearing your thoughts! Personally I am particularly interested in hearing about your experiences with risk appetite and understanding how you have overcome some of the interesting challenges it poses!

We are aiming to publish a final version of the document later in the Summer, taking account of comments received.

Monday, March 8, 2010

r-NXD's (this may be a UK-centric descriptor - but read on...)

Since I left PwC in 2001 I have firmly been of the view that risk management was going to be represented in the boardroom (or C-Suite) with a CRO type person. In the UK they would join the board, in the USA perhaps the C-suite. I am now seeing this come to fruition.

However, I am equally interested in the non-executive side of the equation. We need NXD's (non-executive directors - if that is indeed a UK-centric descriptor) who are business-savvy, numbers-savvy and now, I would argue, risk-savvy.

I would be interested to hear of examples of non-executive directors who have a business risk background in boardrooms with which you are familiar. Does that work? Do they add value? Is there a role? Do they help deliver the all important assurance environment?

I would also be interested to hear your views as to whether there is a need for what I am calling the r-NXD.

Kind regards


Thursday, February 25, 2010

Strategic Risk

Risk management has a history of sloshing about in the nether regions of the organisation: focussing on operational type risks, processes, insurance, that type of thing. Don't get me wrong, I think those things are important, but shouldn't we be dealing with the strategic issues? You know, M&A, what is the future of the organisation? What is coming at us over the horizon?

I have a view that we should be looking a lot more at strategic risk, and I like to tie it back to value drivers (via objectives?) such as those that drive shareholder value (or whatever your equivalent might be for our organisation).

This leads me to pose several questions:
  • Do we as a profession have enough face time with the CEO and Chairmen of our organisations?
  • Do we get involved in strategic plans before or after they happen? eg, do we get involved in risk based due diligence after the transaction is announced, or when options for acquisitions are being discussed?
  • How often do we, as a profession, facilitate board awaydays focussing on more distant strategy (say 5 to 10 years out)?
  • Does anyone have any really good war stories on this that you are happy to share on line?



Wednesday, February 17, 2010

Ethics and Risk Management

It is my contention, as I have often said, that Corporate Ethics is one of four key attributes of Risk Management, and that is is often in tension with a performance culture (another of my four key attributes).

A number of things have cropped up over the recent years:
  • Clearly Toyota has some "ethical" questions to answer with regard to brakes, accelarators and now steering systems.
  • It seems unutterbaly proven that there were dubious (at best) ethics in banking which allowed the situation to arise for the financial crisis.
  • A few politicians in the UK have exhibited less than the highest standards in the ethical field.
  • Greece (aided and abetted by at least one bank) appears to have been cooking the books, with disastrous consequences for other Eurozone countries.
  • BAe has paid a stinging penalty to the US and a modest one in the UK.
  • We have a new bribery act coming onto the statute book in the UK (if it gets through before the election).

I believe that risk management can ONLY work where there is an ethical dimension to the organisation. And yet, perversely, this allows free-riding unethical corporations to duck and weave unhindered and leave the ethical corporation trailing - at least for a period of time.

I would welcome people's views on the interaction of ethics and risk management.

As ever, I am likely to turn the discussion into a paper in due course, summarising the contributions - if you are uncomfortable with that, let me know in your response.



Monday, January 25, 2010

Management Rheumatism

I have been thinking about the need for a cure for what I describe as Management Rheumatism: a disease that typically occurs in older organisations, where the need for security (and therefore control) far outweighs the ability to embrace and implement change. For more see here...

Feedback welcome, as always!

Risk Appetite - reality v. aspirations

I have a new paper on risk appetite which has been written following on from a discussion on LinkedIn about Risk Appetite. The on-line discussion was followed by a real discussion at the Institute of Risk Management (www.theirm.org). The aim is to develop some practical guidance on the subject, which will be the subject of a follow on paper in due course. I am truly grateful to all those who took part in the discussion and especially to those who have allowed me to quote them in the paper. The paper is here...

I look forward to feedback: I thrive on feedback!