After a rather long gestation, the revisions to the Corporate Governance Code emerged in the autumn last year with a large quantity about the linkage of going concerns to uncertainty and risk.
Much of that is about pushing boards to look more at risks to achieving short and long-term strategic objectives. The changes are “beefed up” with new guidance on risk management, internal control and reporting (we will all have to get out of the habit of referring to “Turnbull”). It is tempting to think “there’s not much change” and just the odd tweak is needed.
But boards should see the changes as an opportunity to rethink what they are doing regarding risk and internal control.
That is a big topic, more than we can cover here, but here are a few thoughts on how the changes might impact boards and audit (risk) committees.
Things to consider: Boards are now to look “robustly” at the “principal” risks tied into business objectives. How that differs from the previous “significant” risks doesn’t matter too much—it is emphasising threats to the business model, future performance, solvency or liquidity.
This ties in to the longer-term emphasis on going concern, and an emphasis on linking risk and strategy further into the future. So a board should take stock of what it’s doing with its “strategic risk list”: what’s in it, what’s not in it and what we are doing about it. Then you have to talk about this externally, probably more fully than before.
Things to avoid: Simply carrying on with what you do already—or at least not stopping to think where something different is needed. With the strategic risk list: Are these really the risks that could undermine the business model and performance? How far does the board really understand how they are being managed—or how far they can be? And are we really reporting what matters? Scratching the surface and seeing it all as a compliance-driven, unavoidable process is not where you want to be.
Things to consider: Using the changes to the Code as an opportunity to think through what you want from the board’s review of risks. Working out how the risk matrix presentation can be used to support strategic discussion, whether it makes sense to look at it standalone (as most boards do) or as an integral part of the strategy discussions, and using it to consider what’s not on the list as a starting point.
Things to avoid: Getting stuck in a rut over the risk presentation. Having done it now for a long time, and seeing it come around all too regularly (and often when the annual report approval is needed), too many boards have lost sight of what they are trying to do with the risk matrix and just accept that they are supposed to do it without questioning why.
Things to consider: There’s now more emphasis on the longer term. So boards need to think more about the risk profile: What is principal and might hit us today? What might be out there in the future as a fundamental threat to our model?
And how does this fit with the assumptions we are using for our modelling and forecasts? The link between strategy, risks and assumptions, now and in the future, needs drawing out.
Things to avoid: Saying “we don’t know what’s out there, so thinking long term is pointless”. That is dodging the responsibility to think ahead. Forward-thinking about risk is just part of longer-term strategy development. And boards should have a clear picture of the main assumptions, as well as have an opportunity to discuss them.
Things to consider: There is a new challenge concerning internal controls for the audit committee—and management. It is now a matter of monitoring risk management and internal control systems as an ongoing process.
So, some thinking is needed on how to use a combination of good risk-controls-assurance mapping, and more effective use of all three “lines of defence” to get a clearer picture and more structured comfort.
Things to avoid: Sticking with the current process for reviewing the internal control framework. It is a bad but common habit for this to be tied to the annual statement on internal controls. That puts it in a compliance context when it needs to be a strategic question. Some audit committees just do not give it enough time, or do not demand enough justification, or evidence from management. Tie it into strategy and principal risks better, and it might just be possible to get more value from the exercise.
Things to consider: There is much more emphasis on organisational culture coming out of the guidance, with more being expected from the board and committees. It is clear on this: simply setting the desired values is not enough.
A board should be looking at what is meant by “tone at the top”; what programmes management have in place, and the board’s role in this; and how it can get a picture of the “culture” with practical, meaningful KPIs.
Things to avoid: Putting it in the “too difficult” box. Or simply thinking that remembering to review the code of ethics from time to time is enough.
A structured approach is now needed with the topic appearing specifically on the board agenda, with clear objectives for the discussion and an open-minded approach to helping management think through how to embed values. And do not just accept that “it can’t be measured”: quite a few existing KPIs can give a picture if viewed in the context of culture.
Richard Sheath is a director at Independent Audit.