Upload
institute-of-chartered-secretaries-and-administrators
View
543
Download
0
Embed Size (px)
Citation preview
Assessing corporate culture at subsidiary level
Richard Sheath
12 October 2016
Culture: core questions for the Board (1)
WHERE DO WE WANT TO GET TO?
Is there a governance structure that supports oversight and
strategic leadership around culture?
Working out where we
need to get to
Looking at what we’re
doing as a board
1
Culture: core questions for the Board (2)
WHERE DO WE WANT TO GET TO?
Is there a governance structure that supports oversight and
strategic leadership around culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we
need to be?
Working out where we
need to get to
Looking at what we’re
doing as a board
Assessing what management are doing to embed
the right behaviours
Building a picture of
behaviours
Looking into the
organisation
1
Culture: core questions for the Board
WHERE DO WE WANT TO GET TO?
Is there a governance structure that supports oversight and
strategic leadership around culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we
need to be?
Working out where we
need to get to
Looking at what we’re
doing as a board
What do we want to
achieve and why?
What role do we need to
play?
How does this fit with
executive responsibilities?
What governance structure
needs to be in place?
How do we…
• currently exercise
oversight?
• provide leadership on
behaviours?
• discuss the strategic
imperatives &
implications?
• consider behaviour as
part of our decision-
making?
• communicate our
objectives and
concerns?
• assess behaviour roots
of
performance/problems?
What are the gaps: where
we are and want to get to?
Assessing what management are doing to embed
the right behaviours
Building a picture of
behaviours
Looking into the
organisation
How do we get a view of the executive approach/actions?
How do executives manage behaviours downwards?
How does our incentive approach align?
How can we see the way cultural diversity is tackled?
How do they see what people are doing day to day?
What is the process for tackling problems?
How do we know what’s
going on inside?
How do management give
the Board insight?
How is the behaviour angle
covered in reporting?
What is used to provide us
with assurance/evidence?
How do we assess the
risks?
How do we see/discuss the
known problems?
Thinking through what
surveys are covering
Getting a view of:
• how far expectations are
understood
• how people see/react to
day-to-day behaviours
• perceptions of manager
• messages/actions
• comparison of executive
& manager behaviours
• views on what needs
escalating and how 1
Extending out to subsidiary culture
WHERE DO WE WANT TO GET TO?
Is there a governance structure that supports oversight and
strategic leadership around culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we
need to be?
STRATEGIC
The same questions apply…
… but the context is different
ORGANISATIONAL
How far do we want the same “culture”?
How far is the same culture achievable?
What are the risks?
How is the risk appetite being applied?
What is the environment?
What is the organisational context?
What is the group/subsidiary relationship?
How is control exerted?
How does governance oversight work?
How do information/messages flow?
2
Putting it in context
STRATEGIC
The Environment
The context is different…
ORGANISATIONAL
Group/Subsidiary
3
But then follow the same basic steps…
Reach a consensus on the need
4
Basic steps (2)
Make sure you know what you’re aiming at - for the Group and each subsidiary
5
Basic steps (3)
Recognise diversity – and work out how much you want
6
Basic steps (4)
Determine what style of leadership you expect to see at group and subsidiary levels
7
Basic steps (5)
You’ve limited reach and line of sight: so understand what management are doing
8
Basic steps (6)
Make sure executives and management are on board – at Group and subsidiary levels
9
Basic steps (7)
Think through the group relationships and how they are understood
10
Basic steps (8)
Think through the language and communication angles
11
Basic steps (9)
Work out how you are going to build the picture
12
And only then start assessing…
13
Get out there…
There’s no substitute for getting out there: site visits are a core source of insight and comfort
14
Use what you’ve got
PUTTING TOGETHER A PICTURE THROUGH A “CULTURE & BEHAVIOUR” LENS
EXTERNAL
INDICATORS
HR
REPORTING
CUSTOMERS
INTERNAL CONTROL
INDICIATORS
STAFF
FEEDBACK
SUPPLIERS
INVESTORS
COMMUNITY
NPS
Net Promoter Score
COMPLAINTS
SOCIAL MEDIA
ABSENTEEISM
TURNOVER
EXIT INTERVIEWS
TRAINING
CONTRACT STAFF
MEDIA
WHISTLEBLOWING
COMPLIANCE BREACHES
AUDIT REPORTS
SAFETY
HEALTH
ENVIRONMENT
PUT TOGETHER…WHAT ARE THESE INDICATORS SUGGESTING?
MORALE & MOTIVATION
WHAT IS EXPECTED?
WHAT DO I SEE?
HOW WE TREAT PEOPLE?
TAKING RISKS
MAKING DECISIONS
What are the surveys
actually covering?
15
And apply it to subsidiaries in the same way…
…but…
• Put it in context
• Work out with management
how to distil the picture
• Understand how
management are using the
picture/indicators
• Link to the relative risks for
each subsidiary (financial,
regulatory, reputation…)
Build the same picture… And when it comes to surveys…
• Watch the language and relevance
• Work out how you’re going to use the data
16
© Independent Audit Limited 2016
CONTACT:
Richard Sheath: +44 (0)20 7220 6583 | [email protected]
4 Bury Street | London | EC3A 5AW | +44 (0)20 7220 6580 | www.independentaudit.com
Registered in England number 4373559 Registered Office One Glass Wharf Bristol BS2 0ZX
Roseanna Rowett
Case study: Intertek Group plc
v1.0
Ida Woodger
12 October 2016
2
Our Heritage
1996: Inchcape
divests testing
business to
Charterhouse
Development Capital
1885: Caleb
Brett, cargo
certification
business
founded
1896: Lamp Testing
Bureau founded, later
renamed ETL
1973: Labtest
established in
Hong Kong,
initially
focussing on
textile testing
1900 2002
2015: PSI building
and construction
assurance
business acquired
2011: Moody
International
acquired
1925: SEMKO
electrical
safety testing
founded in
Sweden
1988: ETL
Testing
Laboratories
acquired
1984-87:
Caleb Brett
acquired
1992: Warnock
Hersey acquired
1994: SEMKO
acquired
1888: Milton
Hersey establishes
a chemical testing
laboratory in
Montreal, Quebec
1996-021970
Intertek Group plc
listed on the LSE
Intertek develops into an international testing business
through acquisition and organic growth
2002: Intertek
listed on the
London Stock
Exchange
2009: Intertek
enters the
FTSE 1001987: “Inchcape Testing Services”
formed
Intertek’s pioneering founders
1911: Moody
International, Oil
and Gas testing
and certification
business
1880
1927: Charles
Warnock
Company
formed in
Montreal,
Canada to
inspect steel
products
1989: Intertek
enters China
3
What We Do
What We Do EverydayWhich Economic
SectorsWhere
Assurance
Testing
Inspection
Certification
Products
Trade
Resources
100+ countries
1,000+ laboratories
40,000+ people
4
Our subsidiaries
33joint-ventures
80branches
312wholly-owned
subsidiaries
5
Our group structure
Intertek Group plc
UK entity 1
Middle East & Africa
ChinaSouth and South East Asia (50%)
UK entity 2
Russia, Europe &
Central AsiaAustralasia
North America
South and South East Asia (50%)
6
Our Company Secretariat support structure
Group Company Secretary
Regional Co Sec – North America
Regional Co Sec – MENAP & SE
Asia
Regional Co Sec – China
Company Secretarial Admin
Assistant
Deputy Company Secretary
Company Secretarial
Trainee
Assistant Company Secretary
Company Secretarial Assistant
7
Our subsidiary governance framework
Centrally managed – from London HQ
Locally managed – in country of incorporation
Assistance from external local legal and accountancy firms as well as the Group’s Auditor
8
Centrally managed components
Core Controls
Framework
Policy on Subsidiary and Joint-venture
companyboards
Parental guarantee guidelines
Group-wide Authorities
Cascade
Blueprint Oneworld database –master data
Incorporations, liquidations
andrestructuring
8
Our core controls
Guidelines on Powers of Attorney
9
Regular catch
up meetings
and to-do list
Online sharing
platform
Templates &
procedures
Sharing the
loadRecord keeping Handovers
Communication and management tools
10
In practice
Event / Project
Legal paperwork required
Internal approvals
Local points of contact
Key Co Sec considerations
Director and
shareholder
meetings01
Assistance in the DD process
Funding and paperwork
Closing & Integration
Change of
personnel02
Accuracy of Blueprint data
Verification material available for audit
Changes throughout the yearAnnual Report03
Leaver and appointment procedure
Consider share ownership – ESS and those held on trust
Resulting board structure changes
Treasury and
tax projects04
Minutes and resolutions
Verification process – officers, share capital, company information
Reconciliation of accounts - local books vs centrally held accounts (Cognos)
Acquisitions05
11
Take away points
03 Don’t be a bureaucrat
02
01Good communication
is essential
Have a clearly defined
strategy
Competition issues for subsidiaries and boards
Parents mind your children
Nicole Kar
October 2016
1
Agenda
> Application of competition law and risks to companies
> Parental liability
> Managing and mitigating risks
> What does this mean for boards?
2
Competition law – a primer
3
The basic rules
Law prohibits Who?
Abuse of dominance Undertakings
Restrictive
agreements/collusion
Undertakings (and in the UK, Austria,
Germany, Ireland) individuals
4
The smoke filled chat room
> Recent investigations have seen competition authorities push the
limits of antitrust and new regulators like the FCA take on antitrust
powers and consider requiring expansive mandatory self reporting of
competition breaches
> Focus is now beyond the classical “smoke filled room” and looks e.g.
to different fora; collusion on non price parameters; and pure
information exchange (e.g. price signalling),
5
Information exchange: Good, Bad, Ugly
Good Bad Ugly
> Historical data > Future price/volume
data or future
strategic intentions
> Current data which
discloses intended
conduct
> Aggregated/
anonymised data
> Disaggregated,
company specific
data
> Systemised, frequent
exchanges
> Exchanges in public
(i.e. the customer has
equal access)
> In private > Partly in private/partly
in public – not
genuinely public
> Increases
transparency for
consumers/consumer
benefits
> Highly concentrated
market (few players)
> Covers a broad part of
the market which is
concentrated
6
Competition risks
Fines
Damages
claims Damages
claims
Imprisonment
Negative
commercial
impact Disciplinary
action
Procedural
costs
Reputational
damage
Company
risks
Personal
risks
Director
disqualification
7
Cartel fines in the last 25 years
344 271
3157
7969
8700
4332
127
1419
938
2332
3363
2750
264
1061
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-to date
EU
US
China
Million (EUR)
Comparatively
higher than in the
previous period
8
Liability for individuals/board members in the UK
> Criminal cartel offence: no dishonesty requirement as of April 2014; is jury trial appropriate? “not in usual spectrum of fraud cases”
> Director disqualification: personal involvement; knowledge of conduct and failure to take action; where “ought to have known”
> Claiming damages from directors and employees? Safeway v Twigger: attempt to recover fines against individuals (really D&O insurance). Failed as against public policy
Advice for Directors: Insist on compliance programme and training in high risk areas (e.g sales team in industrial companies), query anomalies.
Advice for companies: assess risk levels and tailor compliance programmes accordingly; do audits to monitor compliance; clean up conduct found.
9
Parental liability
10
Concept of parental liability
> In the EU, a parent company can be held jointly and severally liable for the conduct of its subsidiaries (in the broadest, not just accounting sense) (single economic entity doctrine)
> The parent does not need to be involved or aware of the subsidiary’s participation in the infringement
> Parental liability arises when parent and subsidiary constitute a “single undertaking” in the economic sense (the underlying legal structure is not decisive)
> The European Commission must in principle prove on the facts that the parent exercised decisive influence over the commercial policy of the subsidiary to show that they are a single undertaking (except if the parent has – almost - 100% shareholding)
11
The Akzo (rebuttable?) presumption
Shifts the Commission’s burden to prove that parent/subsidiary are a
single economic entity, but:
> The Commission must prove that the conditions to apply the
presumption are met
> The parent company must hold (almost) 100% of the subsidiary’s
capital
> The Commission must identify unequivocally the addressees of the
potential fine sufficiently early in the investigation (the statement of
objections)
> In such cases the presumption becomes, in practice, impossible to
effectively rebut
12
Outside Akzo
When the parent does not have (effectively) a 100% shareholding, the
Commission must prove that the parent exercised actual decisive
influence over the subsidiary’s commercial policy, which involves the
unity of market conduct of the subsidiary and its management
> Market conduct/commercial policy includes strategic decisions and
operational matters
> May be triggered at much lower levels of control (e.g. joint control
and minority interests), relevant factors include actual control of the
subsidiary’s board, management overlaps and reporting mechanisms
> PE investors can also be held liable if they did not act as a purely
financial investor
13
Goldmans/Power Cables
> Commission decision in 2014 finding the Goldman Sachs Group, Inc.
(GS) liable for the participation of one of its portfolio companies,
Prysmian, in the Power Cables cartel (Euro 37.3m)
> GS had exited when the investigation started (and the infringement
started before it purchased it)
> GS appealed the decision (ongoing proceedings before the EU General
Court)
> Two clearly differentiated periods for GS, but the Commission held it
liable throughout both periods
> 2005-2007: GS shareholding far below 100% for most of the period
> 2007-2009: GS minority shareholder
14
The Impact of Brexit
> Still a lack of clarity, but “hard” Brexit now seems likely (‘Great Repeal Bill’ to bring about a “fully independent, sovereign country” without being bound by ECJ law)
How might Brexit impact the CMA’s position towards parental liability?
> If the ECA 1972 is repealed, and the CMA is no longer bound by the European Courts’ jurisprudence (s 60 Competition Act), will it change its stance on parental liability?
> Unlikely. There are strong public policy reasons (e.g. deep pockets, deterrence, effectiveness of enforcement, recidivism uplift) for the CMA to maintain the approach taken by the EU
More generally, CMA has criminal powers and may be expected to enforce these actively without needing to think about interaction with EU law
15
Managing and mitigating risks
16
Acquiring new entities or businesses
> Pre-acquisition: due diligence should cover antitrust issues (may be
difficult in an auction), identify industry hot spots and interview
management. Easier when you are already active in the industry.
> Limiting risks by structuring acquisition (ideally, you will want full
recourse)
> Asset deal: selling entity should not disappear, share deal: not to
merge entity within acquirer
> Consider making the seller seek leniency prior to signing
17
Group companies’ compliance
> You will likely be liable for (indirect) subsidiaries, joint ventures and
even minority investments’ conduct if there is control
> Do I want to know? TYPICALLY YES
> Effective compliance programmes, identify risk areas, but rolling
out compliance programme can be seen as control!
> Any doubts/suspicions: do an audit
> If passive JV partner, ensure that there is no suggestion of control
(e.g. water down your rights)
> Consider “remedial/clean up” action e.g. application for
immunity/leniency
18
Acquiring new entities or businesses cont.
> Use robust warranties and indemnities to cover possible fines
and/or damage claims
> But enforceability of indemnity clauses may be challenged in the
UK on the basis of the ex turpi causa maxim
> Minority investment
> Carve-out infringing company/business if have knowledge
In any event, the Commission is pushing the boundaries and the
options are becoming more limited
> Act early post-acquisition: address antitrust at first board meeting,
end infringement, implement effective compliance programme
19
Disposals
> When selling a group company or an interest options include:
> Clean up conduct before the sale (seek immunity if appropriate)
> Limiting warranties and indemnity exposure (ideally, you want to
walk away with clean hands)
> Beware of asset sales due to residual corporate liability
> Escrow account to cover potential liability
> Record of non-involvement and compliance efforts
20
Conclusions
21
What does this mean for boards?
> Compliance fatigue: stream competition risk assessment and
controls with other risk areas facing the business (ABC, sanctions,
etc.) but don’t ignore competition law.
> Ensure compliance programmes and training is fit for purpose and
revisited regularly (e.g with M&A, with expansion into new
geographic areas; when new teams are hired from competitors)
> Consider contractual protections in acquisitions and limit exposure
when disposing of group companies or businesses
22
Contact
Nicole Kar
Partner, National Practice Head
Competition Antitrust, London
Tel: +44 20 7456 4382
Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to
refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-
members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers
or European lawyers.
Please refer to www.linklaters.com/regulation for important information on our regulatory position.
Health and Safety – Subsidiary Governance
Health and Safety: Risk & Liability Review
Ann Metherall CEng FICE
Partner
Health and Safety – Subsidiary Governance
24/07/15
Health and Safety – Subsidiary Governance
Offence Starting
Point*
Range*
Corporate
Manslaughter
Act
£7.5m £4.8 - £20m
Health &
Safety at
Work Act
£4m £2.6 - £10m
*assumes very high culpability and a turnover greater than £50m
Health and Safety – Subsidiary Governance
How can the firebreak be undermined?
• H&S obligations
• Cases of
• Chandler v Cape [2012]
• Thompson v Renwick [2014]
• R v CAV Aerospace [2015]
• Risk Factors
• Practical Steps
Purpose of limited liability
subsidiaries?
Tax? Firebreak?
Health and Safety – Subsidiary Governance
Health & Safety Obligations/Consequences
Corporate Manslaughter
Duty of care based on
negligence principles
HSWA
“organisations must ensure safety so far as
reasonably practicable
s.2 s.3
Everyone else affected by
“scope of undertaking”
Factual question
Employees
Gross breach caused
substantially by the way
senior management
organises its business
Corporate Manslaughter
creates no new obligations
just increases the
consequences
Health and Safety – Subsidiary Governance
Chandler v Cape plc
[2012]
• Claimant employed by a cape
subsidiary
• Exposed to asbestos dust
• Cape plc accepted subsidiary failed
in its duty of care
• Subsidiary dissolved
• Claim against Cape plc
• Group Medical Advisor and
scientific officer
• Board discussion on aspects of
production
• Cape knew its subsidiary
arrangements were defective
Court of Appeal found for claimant
because of its knowledge of the
condition and asbestos risk meant it
had a duty of care to advise the
subsidiary what to do or to ensure
steps were taken
Health and Safety – Subsidiary Governance
Pure holding
company may
reduce risk
Factual and
what does
the parent
say in its
safety
management
system?
Audits increase
and reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
and practice of
intervention
generally
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe
Health and Safety – Subsidiary Governance
Chandler v Cape plc
[2012]
Thompson v The
Renwick Group plc
[2014]
• Claimant employed by a cape
subsidiary
• Exposed to asbestos dust
• Cape plc accepted subsidiary failed
in its duty of care
• Subsidiary dissolved
• Claim against Cape plc
• Group Medical Advisor and
scientific officer
• Board discussion on aspects of
production
• Cape knew its subsidiary
arrangements were defective
Court of Appeal found for claimant
because of its knowledge of the
condition and asbestos risk meant it
had a duty of care to advise the
subsidiary what to do or to ensure
steps were taken
• Claimant employed by a Renwick
subsidiary
• Exposed to raw asbestos
• Subsidiary had no EL insurance or
assets
• Claim against parent company
• No group directors on subsidiary
board and subsidiary run by an
“unconnected director”
Applying factors in Chandler, Court of
Appeal found not liable on facts
Health and Safety – Subsidiary Governance
Mere
appointment
of subsidiary
director not
enough
Appointment of
directors
Co-operation
between subsidiary
without parent
control ok. Problem
if parent controls
key element e.g.
delivery/finance
Sharing resources
Avoid assets and
paperwork asserting
work done or
decisions made on
behalf of parent
Corporate
branding
Pure holding
company
reduces risk
What does
the Group
say it does in
its safety
policy and
management
system?
Audits both
increase and
reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe
Health and Safety – Subsidiary Governance
Chandler v Cape plc
[2012]
Thompson v The
Renwick Group plc
[2014]
R v CAV Aerospace
[2015]
• Claimant employed by a cape
subsidiary
• Exposed to asbestos dust
• Cape plc accepted subsidiary failed
in its duty of care
• Subsidiary dissolved
• Claim against Cape plc
• Group Medical Advisor and
scientific officer
• Board discussion on aspects of
production
• Cape knew its subsidiary
arrangements were defective
Court of Appeal found for claimant
because of its knowledge of the
condition and asbestos risk meant it
had a duty of care to advise the
subsidiary what to do or to ensure
steps were taken
• Claimant employed by a Renwick
subsidiary
• Exposed to raw asbestos
• Subsidiary had no EL insurance or
assets
• Claim against parent company
• No group directors on subsidiary
board and subsidiary run by an
“unconnected director”
Applying factors in Chandler, Court of
Appeal found not liable on facts
• Fatally injured person employed by
CAV subsidiary
• Killed when stack of metal billets
collapsed
• Corporate manslaughter and HSWA
prosecution of CAV A
• Cases of Chandler and Thompson
considered when establishing duty of
care
• CAV A treated CAV C as supplier but
did not give it control (no FD and
purchasing and stock control
governed by CAV A)
• Ignoring warning of near misses was
most aggravating feature
Convicted of both offences
Fined £600,000
Health and Safety – Subsidiary Governance
Mere
appointment
of subsidiary
director not
enough
Appointment of
directors
Co-operation
between subsidiary
without parent
control ok. Problem
if parent controls
key element e.g.
delivery
Sharing resources
Avoid assets and
paperwork asserting
work done or
decisions made on
behalf of parent
Corporate
branding
Conflict of
interest/direction
and control
Pure holding
company
reduces risk
What does
the Group
say it does in
its safety
policy and
management
system?
Audits both
increase and
reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
Run as a
business
division - no
separate
financial function
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe
Lack of
independence
Overlap of
directors
Health and Safety – Subsidiary Governance
A question of risk
Increased control may mitigate
risk of safety failures
But increase exposure if
something goes wrong
May be tainted anyway?
Health and Safety – Subsidiary Governance
• How likely are CM prosecutions? Does it
matter?
• Rarely can Parent avoid any scrutiny
• Identify where in the organisation safety
management decisions should be taken
• Robust on how decisions are recorded
• Does the safety management system
reflect the reality?
• Check terms of reference for oversight
committees
• How are decisions in JVs and SPVs taken?
• Robust and independent audit of subsidiary
• Follow through on actions and do not
leave recommendations hanging
• Acquisitions
• Check how business fits into safety
management structure
• Does company come with the
competence to run it?
There was no clear and realistic thought given
to the relationship between CAV A and CAV C
particularly at the level of senior management
and above.
Practical Steps
Health and Safety – Subsidiary Governance
Ann Metherall
Partner
T: +44(0)117 902 6629 M: +44(0)7980 984 071
Governance | Risk Management | Assurance © 2016 AndersonRisk
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk Culture vOrganisational CultureRichard Anderson, Director, AndersonRisk
Governance | Risk Management | Assurance © 2016 AndersonRisk
My agenda for today
• Why is risk culture important to business?
• Who has been talking about a “risk” culture?
• VW – a case study
• FRC, IIA, CIMA, CIPD, CVF – what are they saying?
• What do I think?
• A possible approach…
• Wrap up and questions
Governance | Risk Management | Assurance © 2016 AndersonRisk
Why is risk culture important to business?
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Why is risk culture important to business?
Five reasons: because of…
• People
• 300 years of failure
• Risk appetite
• Extended enterprise
• Societal impact
Governance | Risk Management | Assurance © 2016 AndersonRisk
Human nature is …
Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
The way we live …
“superiors” tell “inferiors” … or … “equals” negotiate the “rules”
Prescribed/In-equal … versus … Prescribing/Equal
Tell or Negotiate? T or N? Which way does it work?
People
Governance | Risk Management | Assurance © 2016 AndersonRisk
Fatalist
Individualist
Egalitarian
Hierarchist
Richard Branson
Philip Green
EntrepreneurGreenpeace
Environmentalist
Prince Charles
Typical Government
Chief Scientist
What will be will be
I C
Tell
Negotiate
People
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)
COSO Internal Control I & II
COSO ERM I & II (almost)
Cadbury to Corporate Governance Code
CoCo
King I, II & III
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)
And the next disaster is
being incubated right now…
Governance | Risk Management | Assurance © 2016 AndersonRisk
LevelPropensity to
take risk
Propensity to
exercise control
Strategic
Tactical
Project/
Operational
Measurement
Stakeholder
Value
Risk Metrics
Control
Metrics
Risk Taking
Exercising
Control
Dele
gation
Escalatio
n
Risk Appetite
Governance | Risk Management | Assurance © 2016 AndersonRisk
LevelPropensity to
take risk
Propensity to
exercise control
Strategic
Tactical
Project/
Operational
Measurement
Stakeholder
Value
Risk Metrics
Control
Metrics
Risk Taking
Exercising
Control
Dele
gation
Escalatio
n
But any model of Risk Appetite makes
heroic assumptions about the ability of
the people in the organisation to cope
within the ranges it sets…
Risk Appetite
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint Endeavour
Ou
tcom
es
Multiple Economies in Multiple Societies
The e
xte
nded
en
terp
rise
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint Endeavour
Ou
tcom
es
Customer 1
Customer 2
Customer 3
IP OwnerRegulator
Sub-Contractor 1
IT Outsource Provider
Government
Supplier 1
Supplier 2
AgentsPrime
Contractor
Multiple Economies in Multiple Societies
The e
xte
nded
en
terp
rise
Sub-Contractor 2
Labour
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint EndeavourO
utco
mes
Extent of Shared Values
Allo
cation
of
Incen
tives
Relative Power
Reg
ula
tory
In
flu
enceT
he e
xte
nded
en
terp
rise
Multiple Economies in Multiple Societies
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint EndeavourO
utco
mes
Extent of Shared Values
Allo
cation
of
Incen
tives
Relative Power
Reg
ula
tory
In
flu
enceT
he e
xte
nded
en
terp
rise
Multiple Economies in Multiple Societies
Culture is KING in
managing across the
Extended Enterprise…
Governance | Risk Management | Assurance © 2016 AndersonRisk
Because the societal impact of failure is
leading to breakdowns in society as
witnessed in BREXIT and the rise of
nationalism and protectionism versus
free trade and globalisation
Societal impact
Governance | Risk Management | Assurance © 2016 AndersonRisk
Who has been talking about risk culture?
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
The commentators
Organisation Title Pages Culture Risk Culture
DoJ (2010) Bribery Act 43 7 (16%) Nil (0%)
NAO (2011) Managing Risk in Government 18 4 (22%) Nil (0%)
IRM (2012)Risk Culture – resources for practitioners
114 893 (783%) 344 (302%)
FRC (2014) Risk Management etc 28 20 (71%) Nil (0%)
FSB (2014) Guidance […] on Risk Culture 14 100 (714%) 70 (500%)
Governance | Risk Management | Assurance © 2016 AndersonRisk
• The board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed within the organisation and with external stakeholders.
• The board must determine its willingness to take on risk, and the desired culture within the company.
• The board has ultimate responsibility for RM…, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded.
• Training and communication assist in embedding the desired culture and behaviours in the company. To build a company culture that recognises and deals with risk, it is important that the RM and IC systems consider how the expectations of the board are to be communicated to staff and what training may be required.
The FRC
Governance | Risk Management | Assurance © 2016 AndersonRisk
• “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”
• “Those at the top of an organisation
are in the best position to foster a
culture of integrity where bribery is
unacceptable. The purpose of this
principle is to encourage the
involvement of top-level
management in the determination
of bribery prevention procedures. It
is also to encourage top-level
involvement in any key decision
making relating to bribery risk
where that is appropriate for the
organisation’s management
structure.”
Department of Justice
Principle 2 - Top-level commitment
Governance | Risk Management | Assurance © 2016 AndersonRisk
• “An anticipatory and strategic
approach to supervision rests,
among other things, on the ability
to engage in high-level sceptical
conversations with the board and
senior management on the
financial institution’s risk appetite
framework, and whether the
institution’s risk culture supports
adherence to the board-approved
risk appetite.”
• “Culture can be a very complex issue
as it involves behaviours and
attitudes. But efforts should be made
by financial institutions and
supervisors to understand an
institution’s culture and how it affects
safety and soundness. While various
definitions of culture exist,
supervisors are focusing on the
institution’s norms, attitudes and
behaviours related to risk
awareness, risk taking and risk
management, or the institution’s risk
culture.”
FSB
Governance | Risk Management | Assurance © 2016 AndersonRisk
The FSB’s top four indicators of the risk culture
•Tone from the top;
•Accountability;
•Effective communication and challenge; and
• Incentives.
Governance | Risk Management | Assurance © 2016 AndersonRisk
IRM Risk Culture Framework
RiskCulture
OrganisationalCulture
Behaviours
PersonalEthics
PersonalPredispositionto
Risk
IRM’s risk culture framework looks at component parts making up an organisation’s risk culture
• How will I react?
• How will I respond in recognition of other competing needs?
• What will I do?
• What will we do?
• Our overall risk culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk culture aspects model
Risk Culture
Tone at the Top
Ris
k
Leaders
hip
Dealin
g w
ith
Bad N
ew
s
GovernanceA
ccounta
bility
Tra
nspare
ncy
Decisions
Ris
k In
form
ed
Decis
ions
Rew
ard
Competency
Ris
k
Resourc
es
Ris
k S
kills
Governance | Risk Management | Assurance © 2016 AndersonRisk
© Richard Anderson Photography | www.raphoto.me
VW: a case study
Governance | Risk Management | Assurance © 2016 AndersonRisk
Objectives
• To be the biggest car manufacturer in the world
• To move motorists across to diesel engines as requested by the EU
• To demonstrate compliance with Californian air quality requirements
Governance | Risk Management | Assurance © 2016 AndersonRisk
Core personal values
1. Social responsibility: Innovative employment models and social involvement.
2. Sustainability: Human rights, labour standards, environmental protection: there are many facets to sustainability.
3. A spirit of partnership: Equality and humanity: fairness is important to us.
4. "Pro Ehrenamt" volunteering initiative: Have you ever thought about becoming a volunteer? There are many ways to get involved - and there's one near you.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Sustainability
“We aim to be the world’s most successful, fascinating and sustainable automobile manufacturer. For the Volkswagen Group, sustainability means that we conduct our business activities on a responsible and long-term basis and do not seek short-term success at the expense of others. Our intention is that everyone should profit from our growth – our customers and investors, society and, of course, our employees. In this way, good jobs and careful treatment of resources and the environment form the basis for generating lasting values.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
Global Compact
• Since 2002, Volkswagen has been involved in one of the largest and most
important CSR initiatives in the world
• This sets out the Ten Principles of human rights covering working standards,
environmental protection and combating corruption
• “Together with 12,000 companies from over 170 countries, Volkswagen works in
diverse international CSR projects towards making the global economy more
sustainable and fairer. An annual progress report documents our projects.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
Failing to live up to their standards
• Emitting larger amounts of NOx than allowed was not in line with looking after the Human Rights of communities where their cars were sold;
• Lying to regulators by installing this software is fundamentally corrupt when you define corruption as “the abuse of entrusted power for private gain”; and
• Clearly the engineering solution was not consistent with environmental protection.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Where they failed
1. Values
2. Silos
3. Layering
4. Short-termism
5. Control v Risk
6. Obstruction
7. Black holes
Governance | Risk Management | Assurance © 2016 AndersonRisk
FRC, IIA, CIMA, CIPD, CVF – what are they
saying?© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
The Culture Coalition
Organisation Title Pages Culture Risk Culture
FRC (2016) Corporate Culture and the role of boards 62 435 (702%) 7 (11%)
IIA (2016) Organisational Culture 27 366 (1,355%) 31 (115%)
CIMA (2016) Rethinking the Business Model 38 5 (13%) 0 (0%)
CIPD (2016) A Duty to Care 38 381 (1,002%) 0 (0%)
CVF (2016) Governing Culture, Risk & Opportunity 30 130 (433%) 0 (0%)
Governance | Risk Management | Assurance © 2016 AndersonRisk
FRC guidance on culture: a missed opportunity62 pages of platitudes:
• How chairmen and chief executives are vital to the culture;
• How non-executive directors should probably be involved, but poor individuals, they find it hard;
• How culture is so very important, but it really is difficult;
• How important it is for directors to exhibit their corporate values;
• How hard pressed heads of internal audit want to do work in this area, but their boards are not ready
Governance | Risk Management | Assurance © 2016 AndersonRisk
My conclusions on the FRC report
So rather than see some wishy-washy platitudes with “suggested” topics for boardrooms to discuss, when they get round to it, it is time for the FRC to commission first class research from people who have genuinely thought about the subject – both academics and practitioners. And then we can talk constructively about the importance of culture versus risk culture and just how we can measure and manage both of them.
Governance | Risk Management | Assurance © 2016 AndersonRisk
And the others
• CIIA: only about assurance. Little about managing the culture or risk culture and no reference to the differences
• CIMA: seem to have forgotten the topic
• CIPD: NOTHING about risk culture
• CVF: Ditto
Governance | Risk Management | Assurance © 2016 AndersonRisk
The risk…
The participants in the FRC’s Culture project, led by the FRC have let directors wriggle off the hook and substantially to ignore Organisational Culture (because they only spoke in platitudes) and totally to ignore Risk Culture which barely gets a mention.
Governance | Risk Management | Assurance © 2016 AndersonRisk
What do I think?
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk v Organisational CultureUnlike some, I firmly believe that there is a major difference between the “Culture” of an organisation and the “Risk Culture”. I also think that the two elements are entirely measurable by looking at the conversations and risk conversations (the cultural DNA) in the organisation
Culture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.
Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
My model of risk management has now changed…
Traditionally I see risk management as a trade off between two pairs of tensions:
1. Taking more managed risk – v – Avoiding pitfalls
AND
2. Performance culture – v –Corporate ethics and behaviours
I now add a third pair of tensions
3. Allowing the needs of today to dominate because of the corporate culture – v –Allowing the needs of tomorrow to dominate because of the risk culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
In summary, I think that…
• Organisational Culture and Risk Culture are different
• Both are vital to retaining and growing long term sustainable value
• The Risk Culture is poorly understood but ignoring it is potentially very dangerous
• VW, the GFC, HSBC, and LIBOR show that problems STILL exist
• We MUST demonstrate to boards why this is important
• We MUST develop practical approaches to managing Risk Culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
A possible approach…
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Assessing the Risk Culture: three traditional steps
Desk Top
ResearchSurveys
Interview
s
But…
not often that
much policy
worthy of
review in
terms of risk
culture
But…
Most surveys
suffer from
groupthink and
you can’t
move beyond
it
But…
Most senior
people will give
the right answer
anyway so you
learn little
Governance | Risk Management | Assurance © 2016 AndersonRisk
So we have introduced a fourth step
Desk Top
ResearchSurveys
Interview
s
Conversations in Risk
Governance | Risk Management | Assurance © 2016 AndersonRisk
Conversations in risk management
You
CFO CEO
Suppliers Clients
CMOBack
Office
Governance | Risk Management | Assurance © 2016 AndersonRisk
0%
25%
50%
75%
Productionand Projects
Sustainabilityand HSE
Drilling Exploration &New Business
Finance Other
Production and Projects
In this organisation, there were six
organisational departments. “Production
and Projects” talked a lot about risk, but
73% of their conversations were WITH
THEMSELVES: they were not dealing with
risk by talking to other experts in the
organisation… About 22% were with their
“Sustainability and HSE” department.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Sustainability and HSE
But the “Sustainability and HSE”
department was not listening because less
than 10% of their risk discussion were with
Production and Projects and a whopping
72% were WITH THEMSELVES. This
organisation was HOPELESSLY silo’ed
and they did not recognise it
inthemsleves. They needed to work
together because of the economic
environment, but their risk culture was
shot to pieces and the business was
following downhill.0%
25%
50%
75%
Productionand Projects
Sustainabilityand HSE
Drilling Exploration &New Business
Finance Other
Governance | Risk Management | Assurance © 2016 AndersonRisk
Three states for a conversation
UnmatchedPartially
Matched
Completely
Matched
The Desired Direction of Travel
Governance | Risk Management | Assurance © 2016 AndersonRisk
UnmatchedPartially
Matched
Completely
Matched
% % %
Three states for a conversation
Governance | Risk Management | Assurance © 2016 AndersonRisk
This diagram,
straight from our
system, shows all of
the participants in
the exercise and
(rather
depressingly) shows
that none of the
conversations was
matched. They had
a lot of work to do to
turn this round, and
they needed to do
so quickly
Governance | Risk Management | Assurance © 2016 AndersonRisk
This picture simply
illustrates the
richness of the data
showing linkages
between individuals.
Each connection is
based on a set of
data that we
analyse and
summarize to come
to the board level
view. It also
explains why the
underlying data are
actionable…
Governance | Risk Management | Assurance © 2016 AndersonRisk
And where cultures clash…
Issues which any board should want to know about:
• Values: Significant deviations from the board’s values.
• Silos: Especially where an organisation is facing complexity in its
dealings internally or externally.
• Layering: Layered management reporting prevents new issues
being spotted on a timely basis.
• Short-termism: Extrapolation from past behaviours is not
necessarily good enough for dealing with new futures.
Governance | Risk Management | Assurance © 2016 AndersonRisk
And where cultures clash…
Issues which any board should want to know about:
• Control v Risk: Control (or risk control) management instead of
risk management.
• Obstruction: Individually obstructive nodes can be very
dangerous.
• Black holes: Sometimes it is difficult to discern any volume of
conversations about risks.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Wrap up and questions?
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
© Richard Anderson Photography | www.raphoto.me
Resources:1. IRM Risk Appetite and Tolerance Guidance:
https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf
2. IRM Risk Culture Guidance:
https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf
3. FRC Culture document: https://www.frc.org.uk/Our-Work/Publications/Corporate-
Governance/Corporate-Culture-and-the-Role-of-Boards-Report-o.pdf
4. FSB Risk Culture: http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1
5. AndersonRisk Commentary on Risk Culture:
http://andersonrisk.com/publications/downloads/ (and check my publications on LinkedIn)
6. AndersonRisk board agenda: http://andersonrisk.com/publications/downloads/
7. AndersonRisk blog: http://andersonrisk.com/conversations/
Governance | Risk Management | Assurance © 2016 AndersonRisk
Tel: +44(0)7807 780284
www.AndersonRisk.com
Thank you!
© Richard Anderson Photography | www.raphoto.me