Tuesday, May 17, 2011
My view? External audit is now largely out-dated. The binary nature of the opinion renders it useless and instead of focussing on backward looking KPI’s (aka “the accounts” or “financial report”) it is time we moved on to a more meaningful method of providing assurance to external stakeholders.
Of course this is not just a UK problem, and there probably is not a good way yet of dealing with this on an international basis.
Saturday, May 7, 2011
The paper has been prompted in part by the Financial Reporting Council’s new UK Corporate Governance Code. I am also finding myself debating risk appetite with more and more clients, all of whom are looking for practical and meaningful ways of implementing risk appetite as the next step on their risk management development. In this paper, we have sought to pull together some of the existing thinking in this area, and we have also sought to inject some fresh ideas. Both the IRM and I would greatly welcome your feedback.
I am very conscious of the fact that the document is framed in the context of the UK Corporate Governance Code: it therefore could appear to be (a) UK-centric and (b) only relevant to listed companies. In fact I think it is entirely transferable anywhere in the world and is as relevant to small private organisations and those in government and the third sector as it is to large quoted companies. However, I acknowledge that it will take some interesting further development to stretch the ideas to fit all organisations. But if we keep in mind that the aim is to develop helpful guidance, rather than develop yet another tick-in-the-box approach to governance, we should be able to do that!
The link (http://www.theirm.org/publications/risk_appetite.html) will take you to the IRM website and on that webpage you will find two further links: one for the Executive Summary, and one for the full document (which also includes the Executive Summary). To badly misquote George Bernard Shaw: we could not write a short document until we had written a long one. I hope that this represents a helpful contribution to the debate about the board’s responsibilities for risk appetite and risk tolerance. I do not think that we have written the last word on the subject, but rather I hope that we have set the debate going.
The IRM is circulating this document widely and would very much welcome your views. Does it provide useful guidance to organisations in defining their risk appetite? Does the approach make sense? What is missing? What would you remove? We would very much like to hear.
Please feel free to circulate the document widely within your organisation and then to forward any comments to Carolyn Williams, Head of Thought Leadership at IRM on firstname.lastname@example.org by Tuesday 31 May 2011. Needless to say, I am also interested in hearing your thoughts! Personally I am particularly interested in hearing about your experiences with risk appetite and understanding how you have overcome some of the interesting challenges it poses!
We are aiming to publish a final version of the document later in the Summer, taking account of comments received.
Monday, March 8, 2010
However, I am equally interested in the non-executive side of the equation. We need NXD's (non-executive directors - if that is indeed a UK-centric descriptor) who are business-savvy, numbers-savvy and now, I would argue, risk-savvy.
I would be interested to hear of examples of non-executive directors who have a business risk background in boardrooms with which you are familiar. Does that work? Do they add value? Is there a role? Do they help deliver the all important assurance environment?
I would also be interested to hear your views as to whether there is a need for what I am calling the r-NXD.
Thursday, February 25, 2010
I have a view that we should be looking a lot more at strategic risk, and I like to tie it back to value drivers (via objectives?) such as those that drive shareholder value (or whatever your equivalent might be for our organisation).
This leads me to pose several questions:
- Do we as a profession have enough face time with the CEO and Chairmen of our organisations?
- Do we get involved in strategic plans before or after they happen? eg, do we get involved in risk based due diligence after the transaction is announced, or when options for acquisitions are being discussed?
- How often do we, as a profession, facilitate board awaydays focussing on more distant strategy (say 5 to 10 years out)?
- Does anyone have any really good war stories on this that you are happy to share on line?
Wednesday, February 17, 2010
A number of things have cropped up over the recent years:
- Clearly Toyota has some "ethical" questions to answer with regard to brakes, accelarators and now steering systems.
- It seems unutterbaly proven that there were dubious (at best) ethics in banking which allowed the situation to arise for the financial crisis.
- A few politicians in the UK have exhibited less than the highest standards in the ethical field.
- Greece (aided and abetted by at least one bank) appears to have been cooking the books, with disastrous consequences for other Eurozone countries.
- BAe has paid a stinging penalty to the US and a modest one in the UK.
- We have a new bribery act coming onto the statute book in the UK (if it gets through before the election).
I believe that risk management can ONLY work where there is an ethical dimension to the organisation. And yet, perversely, this allows free-riding unethical corporations to duck and weave unhindered and leave the ethical corporation trailing - at least for a period of time.
I would welcome people's views on the interaction of ethics and risk management.
As ever, I am likely to turn the discussion into a paper in due course, summarising the contributions - if you are uncomfortable with that, let me know in your response.
Monday, January 25, 2010
Feedback welcome, as always!
I look forward to feedback: I thrive on feedback!